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This document is DIS’ recommended method for implementing a Windows Server 2019 
and Active Directory (AD) Environment within a K12 network. 


WINDOWS SERVER 2019 REQUIREMENTS 


e Minimum: 1.4GHz (x64 processor) 
e Recommended: 2GHz or faster 

Processor 
Note: Processor performance depends not only on the clock frequency 
of the processor, but also on the number of processor cores and the 
size of the processor cache 


e Minimum: 32GB or greater 
e Recommended: 80GB or greater 


Available Disk 
Space 


Note: Computers with more than 16GB of RAM will require more disk 
space for paging, hibernation, and dump files 


e Super VGA (800 x 600) or higher-resolution monitor 
e Keyboard 

e Microsoft Mouse or compatible pointing device 

e Internet Access 


Display and 
Peripherals 
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WINDOWS SERVER 2019 GLOSSARY OF TERMS 


eam! Bea : 
m VVindows Server 


2019 


Windows Server 


Windows Server is a group of operating systems designed by 
Microsoft that supports enterprise-level management, data storage, 
applications, and communications. In a technical sense, a server is 
an instance of a computer program that accepts and responds to 
requests made by another program, known as a client. Examples: 
Application, Proxy, Mail, Web, DHCP, FTP & VPN Servers 


Active Directory 
Domain Services 


Domain 
Controller 


A server running Active Directory Domain Services (AD DS) is called a 


domain controller (DC). It authenticates and authorizes all users and 
computers in a Windows domain type network assigning and enforcing 
security policies for all computers & installing or updating software. For 
ex., when a user logs into a computer that is part of a Windows 
domain, Active Directory checks the submitted password and 
determines whether the user is a system administrator or normal user. 
Also, it allows management and storage of information, provides 
authentication and authorization mechanisms, and establishes a 
framework to deploy other related services: Certificate Services, Active 
Directory Federation Services, Lightweight Directory Services and 
Rights Management Services. 
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TERMS DEFINITION 


An organizational unit (OU) is a subdivision within an Active 
Directory into which you can place users, groups, computers, and 
other organizational units. You can create organizational units to 
mirror your organization's functional or business structure. Each 
domain can implement its own organizational unit hierarchy. 


Organizational 
Unit 


Groups are used to collect user accounts, computer accounts, and 
other groups into manageable units. Working with groups instead of 
with individual users helps simplify network maintenance and 

Groups administration. There are two types of groups in Active Directory: 
Distribution Group used to create email distribution lists. A Security 
Group provides a logical grouping of objects and the group itself can 
be used as a security principal in an Access Control List (ACL) 


Group Policy is a feature of the Microsoft Windows NT family of 
operating systems that controls the working environment of user 
accounts and computer accounts. Group Policy provides centralized 
management and configuration of operating systems, applications, 
and users' settings in an Active Directory environment. A version of 
Group Policy called Local Group Policy ("LGPO" or "LocalGPO") also 
allows Group Policy Object management on standalone and non- 
domain computers. 


Group Policy 


A Group Policy Object (GPO) is a collection of settings that define 
Group Policy what a system will look like and how it will behave for a defined 
Object group of users. Microsoft provides a program snap-in that allows 
you to use the Group Policy Microsoft Management Console (MMC) 


An Internet Protocol address (IP address) is a numerical label 
assigned to each device connected to a computer network that uses 

IP Address the Internet Protocol for communication. An IP address serves two 
principal functions: host or network interface identification and 
location addressing. 


A technological barrier designed to prevent unauthorized or 


Firewall ae 
unwanted communications between computer networks or hosts 
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TERMS DEFINITION 


The Dynamic Host Configuration Protocol (DHCP) is a network 
management protocol used on UDP/IP networks whereby a DHCP 
server dynamically assigns an IP address and other network 
configuration parameters to each device on a network so they can 
communicate with other IP networks. A DHCP server enables 
computers to request IP addresses and networking parameters 

Dynamic Host automatically from the Internet service provider (ISP), reducing the 

Configuration need for a network administrator or a user to manually assign IP 

Protocol addresses to all network devices. In the absence of a DHCP server, a 

computer or other device on the network needs to be manually 
assigned an IP address. DHCP can be implemented on networks 
ranging in size from home networks to large campus networks and 
regional Internet service provider networks. A router or a residential 
gateway can be enabled to act as a DHCP server. Most residential 
network routers receive a globally unique IP address within the ISP 
network. Within a local network, a DHCP server assigns a local IP 
address to each device connected to the network. 


The Domain Name System (DNS) is a hierarchical decentralized 
naming system for computers, services, or other resources 
connected to the Internet or a private network. It associates various 
information with domain names assigned to each of the 
participating entities. Most prominently, it translates more readily 
memorized domain names to the numerical IP addresses needed for 
locating and identifying computer services and devices with the 
underlying network protocols. By providing a worldwide, distributed 
directory service, the Domain Name System is an essential 
component of the functionality on the Internet, that has been in use 
since 1985.The Domain Name System delegates the responsibility of 
assigning domain names and mapping those names to Internet 
resources by designating authoritative name servers for each 
domain. Network administrators may delegate authority over sub- 
domains of their allocated name space to other name servers. This 
mechanism provides distributed and fault tolerant service and was 
designed to avoid a single large central database. 


Domain Name 
System 
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TERMS 


Server Manager 


Sysvol 


RAID 


Virtualization 


DEFINITION 


Server Manager is a management console in Windows Server that 
helps IT professionals provision and manage both local and remote 
Windows-based servers from their desktops, without requiring 
either physical access to servers, or the need to enable Remote 
Desktop protocol (rdP) connections to each server. 


The System Volume (Sysvol) is a shared directory that stores the 
server copy of the domain's public files that must be shared for 
common access and replication throughout a domain. The Sysvol 
folder on a domain controller contains the following items: 


Net Logon shares. These typically host logon scripts and policy 
objects for network client computers. 


User logon scripts for domains where the administrator uses Active 
Directory Users and Computers. 


Windows Group Policy & File system junctions. 


File replication service (FRS) staging folder and files that must be 
available and synchronized between domain controllers. 


RAID (Redundant Array of Independent Disks, originally 
Redundant Array of Inexpensive Disks) is a data storage 
virtualization technology that combines multiple physical disk drive 
components into one or more logical units for the purposes of data 
redundancy, performance improvement or both. 


In computing, virtualization means to create a virtual version of a 
device or resource, such as a server, storage device, network or 
even an operating system where the framework divides the 
resource into one or more execution environments. Even something 
as simple as partitioning a hard drive is considered virtualization 
because you take one drive and partition it to create two separate 
hard drives. Devices, applications and human users are able to 
interact with the virtual resource as if it were a real single logical 
resource. 
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Virtualization RIGHTS 


Attribute Datacenter Standard Essentials 
Licensing model Per Core/CAL' Per Core/CAL' Specialty servers? 
License type Core license Core license Server license 
OSEs/Hyper-V containers Unlimited Two? One* 
Windows Server containers Unlimited | Unlimited | 


1 All physical cores on the server must be licensed, subject to a minimum of 8 core licenses per physical processor and a 
minimum of 16 core licenses per server. 

2 Windows Server Essentials edition server is for either one or two processor servers. 

3 Windows Server Standard edition permits use of one running instance of the server software in the physical OSE on the 
licensed server (in addition to two virtual OSEs), if the physical OSE is used solely to host and manage the virtual OSEs. 

4 Windows Server Essentials edition permits use of one running instance of the server software in the physical OSE on the 
licensed server (in addition to one virtual OSE), if the physical OSE is used solely to host and manage the virtual OSE. 


Datacenter Edition — When all physical cores on the server are licensed, 
Windows Server Datacenter edition provides rights to use unlimited operating 
system environments (OSEs) or Hyper-V containers and unlimited Windows 
Server containers on the licensed server. 

Standard Edition — When all physical cores on the server are licensed, Windows 
Server Standard edition provides rights to use two Operating System 
Environments (OSEs) or Hyper-V containers and unlimited Windows Server 
containers on the licensed server. 

**For example, a 2-processor server with 8 cores per processor requires 16 core 
licenses (in other words, one 16-pack of core licenses or eight 2-packs of core 
licenses) and gives rights to two OSEs or two Hyper-V containers. In the case of 
this example, for each additional two OSEs or two Hyper-V containers the 
customer wishes to use, an additional 16 core licenses must be assigned to the 


server. 
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PRE-INSTALLATION REQUIREMENTS 


e Microsoft Windows Server 2019 DVD (with Service pack IF applicable). 

e 1NAT IP Address (Statically Assigned) 

e Bootable USB Drive / DVD (At least 8Gb USB Drive / Blank Dual Layer DVD-R) 
**For Assistance with creating a Bootable USB Drive skip to page 96 - 100 
**Certain Servers will have to have SCSI/RAID Controller Drivers. 

**RAID Configuration & Logical Drives should be configured before server 
installation. 


INSTALLATION 


1. Purchase Windows Server Edition / Download .ISO & Activation Key 
For ESS Agreement logon onto - Microsoft Volume Licensing Service Center 


(VLSC) https://www. microsoft.com/Licensing/servicecenter/default.aspx 


2. Insert the appropriate Windows Server 2019 installation media into your 
server and reboot (DVD-ROM / Bootable USB) 


3. After restarting the server, boot to the DVD-ROM / USB. Wait for Setup to 
display a dialog box. 


4. | When prompted for an installation language and other regional options, 
make your selection and press Next. 


ula Windows Setup 


Windows Server’ 2019 


Language to install: |English (United States) 


Y 
E E S militias English (United States) ¥ 


Keyboard or input method: MA 


Arkansas Department of Information Systems — APSCN LAN Support 
Printed on 5/16/2022 
10|Page 


5. Next, press Install Now to begin the installation process. 


le 


va Windows Setup 


[s>] © ft) 


Windows Server? 2019 


Install now 


Repair your computer 


© 2018 Microsoft Corporation. All rights reserved. 


LICENSING EDITIONS 


Choose from three primary editions of Windows Server, based on the size of your organization 
as well as virtualization and datacenter requirements: 


e Datacenter Edition is ideal for highly virtualized and software-defined datacenter 
environments. 

e Standard Edition is ideal for customers with low density or non-virtualized 
environments. 

e Essentials Edition is a cloud-connected first server, ideal for small businesses with up to 
25 users and 50 devices. Essentials is a good option for customers currently using the 
Foundation edition, which is not available with Windows Server 2019. 


**All physical cores on the server must be licensed, subject to a minimum of 8 core licenses per 
physical processor and a minimum of 16 core licenses per server. 


**CALs are required for every user or device accessing a server. See the Product Terms for 
details. 


Windows Server 2019 offers additional features in Standard and Datacenter editions. Features 
exclusive to the Windows Server 2019 Datacenter edition include Shielded Virtual Machines, 
software-defined networking, Storage Spaces Direct, and Storage Replica. While no features 
from the Windows Server 2012 R2 Standard edition have been removed, we have added 
features like Nano Server and unlimited Windows Server containers to the Windows Server 
2019 Standard edition. 
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6. Select the proper edition of Windows Server 2019 that is to be installed and 
press Next. 
e Note - Choose Desktop Experience for Operating System with GUI 
(Graphical User Interface) 


(E) ca Windows Setup 


Select the operating system you want to install 


Operating system Architecture Date modified 
Windo 3 3 


Tver 2019 U T 


Windows Server 2019 Datacenter (Desktop Experience) 8/11/2018 


Description: 
This option installs the full Windows graphical environment, consuming extra drive space. It can be 
useful if you want to use the Windows desktop or have an app that requires it. 


7. Read and accept the license terms by clicking to select the checkbox and 
pressing Next. 


re) gf Windows Setup 


Applicable notices and license terms 


IMPORTANT NOTICE (followed by LICENSE TERMS) 


Diagnostic and Usage Information. Microsoft automatically collects this 
information, which may be associated with your organization, over the 
internet, and uses it to help improve your installation, upgrade, and user 
experience, and the quality and security of Microsoft products and services. 
Windows Server has four (4) information collection settings (Security, Basic, 
Enhanced, and Full), and uses the “Enhanced” setting by default. The 
Enhanced level includes information required to: (i) run our anti-malware and 
diagnostic and usage information technologies; (ii) understand device 
quality, and application usage and compatibility; and (iii) identify quality 
issues in the use and performance of the operating system and applications. 


Choice and Control: Administrators can change the level of information v 


CI accept the license terms 


\ 
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8. In the "Which type of installation do you want?" window, click the only 
available option — Custom: Install Windows only (Advanced). 


Le) g Windows Setup ei 


Which type of installation do you want? 


Upgrade: Install Windows and keep files, settings, and applications 
The files, settings, and applications are moved to Windows with this option. This option is only 
available when a supported version of Windows is already running on the computer. 


Custom: Install Windows only (advanced) 

The files, settings, and applications aren't moved to Windows with this option. If you want to 
make changes to partitions and drives, start the computer using the installation disc. We 
recommend backing up your files before you continue. 


9. Select the disk that you will be installing Windows Server 2019 onto and then 
click New to create a partition that Windows Server 2019 will be installed on. 


E A Windows Setup 


Where do you want to install Windows? 


Name Total size Freespace Type 


Ép Refresh fS Delete QP Eormat 


©* Load driver a Extend 
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10. In the “Size:” entry box, enter the size of the partition and press Next. 


**The size format is in megabytes. MB * 10240 = Size to be entered. 
** Example 10240MB x 10 = 102.4 GB Drive, Recommend at least 100GB C:/ 


J$ Delete J Format He New 
per | Extend Size: Jozo 5 MB ‘Apply Cancel 


wa 


11. You will see the following screen while the installation files are copied to the 
server. The server will reboot to complete the installation (leave media inserted) 


**See notes on partition types: 
** When creating new partitions, if it's over 2 TB or if it UEFI Boot it 
recommended to be GPT. 


You don't usually have to worry about partition style - Windows automatically 
uses the appropriate disk type. Most PCs use the GUID Partition Table (GPT) 
disk type for hard drives and SSDs. GPT is more robust and allows for volumes 
bigger than 2 TB. The older Master Boot Record (MBR) disk type is used by 32- 
bit PCs, older PCs, and removable drives such as memory cards. To convert a 
disk from MBR to GPT or vice versa, you first have to delete all volumes from 
the disk, erasing everything on the disk. 


Installing Windows... 


That's all the information we need right now. Your computer will restart several times during 
installation. 


$884 


Completing installation ... 


Arkansas Department of Information Systems — APSCN LAN Support 
Printed on 5/16/2022 
14|Page 


11. Once the server has completed the setup, it will notify you that the password 
needs to be set. This password MUST meet Microsoft password complexity 
requirements. It will require a minimum password length of 8 characters and 
three out of the four following: 


e Create complex Password / Password Phrase 

e Uppercase letters of European languages (A through Z, with 
diacritic marks, Greek and Cyrillic characters) 

e Lowercase letters of European languages (a through z, sharp-s, 
with diacritic marks, Greek and Cyrillic characters) 

e Base 10 digits (0 through 9) 

e Non-alphanumeric characters (special characters): (~!@#S%%&*_- 
+="|\(){}f]:;""<>,.2?/) Currency symbols such as the Euro or British 
Pound are not counted as special characters for this policy setting. 


**Do Not Use Default Passwords for the Administrator Account 
such as Password1 / Password123 & etc. 


Customize settings 


Type a passwcd for the built-in administrator account that you can use to sign in to this computer. 
ype a pi K 


User name 


Password 


Finish 


12. Once the password is successfully changed, the server will login to the initial 
desktop and Server Manager will start up automatically. 
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SERVER INITIAL CONFIGURATION 
1. On the Server Manager screen, click on Local Server. 
2. Activate Windows and insert key. (Must Have an Internet Connection) 


Click Product ID and enter windows license key (MAK) 


© * Server Manager * Local Server -©! P menage Tools View Help 


*Note if activation is not available, then you can manually activate using 
command SLMGR command. Open command prompt and enter the following 
command: slmgr -ipk XXXXX-XXXXX-XXXXX-XXXXX-XXXXX (windows key) 


Gs Command Prompt 


C:\Users\Dodds>slmgr -ipk XXXXX-XXXXX-XXXXX-XXXXX-XXXXX (Windows Key),, 


3. Change Computer Name — Use a good naming convention for asset management 
**Example — Building Name + Device = Admin-DC1, HS-DC1, MS-AS1 etc. 
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Anatomy of a Device Name 


e.g.: DB=database, 
DOC=domain controler, 
AS=app server, 

SW=switch, WS=web 
server, RT=router, etc. 


e.g.: town, cty, etc. USNHCDB-P001 


Country Code Location Code Unique Site Code Device Role Service Level Sequential ID 
Ve P 001 


e.g.: P=production, D = dev, 


e.g.: street or buiding ID 
T=test, S=staging, etc. 


4. Set Time zone — Correct Time Zone (Central Time) 
5. Enable Remote Desktop for Remote Management 
** Click — allow connections only from computers running remote desktop with 


network level authentication (recommended) 


6. Configure Networking and change to Static IP and disable IPv6 by unchecking the 
option for TCP/IPv6. 


7. Enable Windows Updates. 
8. Download and Install updates. 


9. Turn off IE Enhanced Security Configuration for Administrators only. 


Server Manager * Local Server 


EVENTS 


DISABLE IPV6 via REGISTRY EDITOR 


**Recommended To Be Done 
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1. Open the Registry Editor by moving your mouse over the bottom-left Windows 
Key & or click Keyboard Key 4 and type REGEDIT and press Enter 


2. Expand the following Key Structure in the Registry Editor: 


HKEY_LOCAL_MACHINE 


|---System 
| ---CurrentControlSet 
|---Services 
|---Tcpip6 


|---Parameters 


3. Right-Click on the Parameters Key and click New > DWORD (32-Bit) Value. 


Server Manager * Local Server ~@1 P Manage Toos View 


HB Registry Editor = o x 
TEE Dashbd File Edit View Favorites Help 


[ TASKS 


[| SSDPSRV 4 || Name Type Data 
- 
a rae ab] (Default) REG SZ (value not set) Never 
statenePos || ab) DependOnSerice REGMULTISZ  Tepip Downes we 
fal aD Ds a a) Description REG_SZ @todo.dll,-100;Microsoft IPv6 Protocol Driver Never 
i 
& DNS Car ab)DisplayName REG _SZ @todo.dll-100;Microsoft IPv6 Protocol Driver 
= $38 DriverMajorVers.... REG_DWORD 000000000 (0) 
iG Fil L| storflt A : 
fi File an pa riverMinorVers.. REG_DWORD 0x00000000 (0) Bes Tune Peete 
[1] storgosfit rrorControl REG_DWORD 0x00000001 (1) we 
StorSve imagePath REG_EXPAND_SZ System32\drivers\tcpip.sys ation On 
donis disMajorVersion REG_DWORD 0x00000006 (6) (UTC-06:00) Cer 
| storvse disMinorVersion REG_DWORD 000000028 (40) Not activated 
[ svsve art REG_DWORD 000000003 (3) 
L] swenum ag REG_DWORD 0x00000003 (3) 
swprv fextModeFlags  REG_DWORD 000000001 (1) 
REG_DWORD 0x00000001 (1) Intel(R) Core(Th 
4GB 
14.51 GB 
Tabletinpu 
TapiSrv 
Tcpip 
| | Tepip~ 
TCPIF 
2 ~ [ase 
itis String Value 4 
] Delete Binary Value 
ls Rename DWORD (32-bit) Value Log Sie aad Tim 
= OR ers 
` = Multi-String Value v System 10/10/2018 1 
| Permissions... 
p Expandable String Value M System 10/10/2018 1 
ee ning Microsoft-Windows-DNS Client Events System 10/10/2018 1 


4. Type in the name DisabledComponents and press Enter. (name is case sensitive) 


5. Double-click on the newly created key and enter ffffffff (8 f’s) for the value data 
in Hexadecimal mode. 
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Dashbgq File 


Local Si 


Server Manager ” Local Server 


IB Registry Editor 


Edit View Favorites 


Help 
SSDPSRV 
SstpSve 
StateRepos 
stexstor 
(| stisve 
storahci 
storflt 
stornvme 
|_| storgosfit 
StorSve 
storufs 

B storvsc 
svsve 
swenum 
swprv 
Synth3dVs 
SysMain 
SystemEve 
|) Tabletinpu: 
TapiSrv 

a EPip 


a 


I 


Name Type 

ab) (Default) REG_SZ 

ab) DependOnService REG_MULTI_SZ 

ab) Description REG_SZ 

ab] DisplayName REG_SZ 

#0] DriverMajorVersion REG_DWORD 
REG_DWORD 

#3] ErrorControl REG_DWORD 

ab|lmagePath REG_EXPAND_SZ 

Fs) NdisMajorVersion REG_DWORD 

So) NdisMinorVersion REG_DWORD 
REG_DWORD 
REG_DWORD 
REG_DWORD 


REG DWORD 


Data 

(value not set) 

Tepip 

@todo.dll,-100;Microsoft IPv6 Protocol 
@todo.dll,-100;Microsoft IPv6 Protocol 
0x00000000 (0) 

0x00000000 (0) 

0x00000001 (1) 
System32\drivers\tcpip.sys 

0x00000006 (6) 


6. Close the Registry Editor 


DISABLE WINDOWS FIREWALL 


7. Open the Windows Firewall with Advanced Security by moving your mouse over 
the bottom-left Windows Key & or click Keyboard Key «% and type FIREWALL 
and press Enter 


Dashboard 


All Servers 
AD DS 
DNS 


a 


File and Storage Servid 


MÈ Windows Firewall 


ger * Local Server 


T iP 
Control Panel Home 
Allow an app or feature 


through Windows Firewall 
Change notification settings 


Turn Windows Firewall on or 
off 


Security and Maintenance 


Network and Sharing Center 


Control Panel > 


System and Security > Windows Firewall 


Help protect your PC with Windows Firewall 


Windows Firewall can help prevent hackers or malicious software from gaining access to your PC 


through the Internet or a network. 


Update your Firewall settings 


Windows Firewall is not using the 
recommended settings to protect your 
computer. 


What are the recommended settings? 


| | ©& Domain networks 
| | ©& Private networks 
BB © svest or public networks 
Networks in public places such as airports or coffee shops 


Windows Firewall state: off 


Incoming connections: 
Active public networks: oF 


Notification state: 


~@& I! 


vlo 


Block all connections to apps that are not on the 
list of allowed apps 


Unidentified network 


Do not notify me when Windows Firewall blocks a 
new app 


r 


Manage 


Ọ Use recommended settings 


Not connected 
Not connected 


Connected 


DC-A 


DC-A 


Choose Advance Setting 


1014 Warning Microsoft-Windows-DNS Client Events 
6006 Warning Microsoft-Windows-Winlogon 


this section click Windows Firewall Properties. 


System 10/9/2018 11 
Application 10/9/2018 11 


In the middle of the screen you will find an “Overview” section, at the bottom of 


Turn off the Firewall state for Doman Profile and Private Profile 
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Actions 


Windows Firewall witt 
x d Import Policy. 
2) Export Policy 
Overview - Restore Default P 
Domain Pro 


Fi 


Diagnose / Repair 


State 


ay irewall state: 


Inbound connection 


View 


On (recommended) G) Refresh 
Block (default) - | Properties 


Outbound connections Allow (default) Help 


Protected network connections Customize. 
Settings 


Z Specify settings that control Windows 
Public Profil| E Firewall behavior 


@ Windows Fir 
© inbound con Logging 


‘ sutbound © Specify logging settings for 
© Outbound c hearre Customize. 
E Wna 


Getting Started - 
Auth: te 


Fi 


icated and 


Create j 
protected by usi 
E Connection Securty Rules 


View and create firewall rules 


**1t is highly recommended that the Firewall be enabled on DIS Router if you are not 
using a third-party firewall. If you do not have any firewall appliance, you may wish to 
leave the windows firewall enabled. Adjust the scopes of the Inbound/Outbound rules 
to meet application requirements. 

** Recommended to create inbound / outbound rules, allow specific ports & programs 
thru firewall instead of just turning off firewalls 


DOMAIN SERVICES AND ACTIVE DIRECTORY SETUP 


**Before starting this section, make sure that your server has a statically assigned IP 
address and that the DNS IP Address in the TCP/IP settings are pointing to itself. 


We do not have to pre-install the DNS Server Role or pre-create our DNS Zone. When 
the Active Directory Domain Services Role is installed the DNS Server Role will be 
automatically installed and configured with the DNS zone specified during the Active 
Directory installation. 


1. Launch Server Manager. 


2. Click Manage and then select Add Roles and Features. 


Arkansas Department of Information Systems — APSCN LAN Support 
Printed on 5/16/2022 


20|Page 


> © | d Manage Tools View Help 


ent Program 


ion 


Add Roles and Features N 


Remove Roles and Features 


Add Servers 
eee Create Server Group 
Not configy Server Manager Properties 
Never = 
Off 
Not participating 
On 


(UTC-08:00) Pacific Time (US & Canada) 
00183-90000-00001-AA42?2 (activated) 


3. On the Before You Begin screen, click Next. 


4. On the Select Installation type screen, select Role-based or Feature-based 
installation and click Next. 


5. | On the Select Destination server screen, click Next. 


6. Check the box to the left of Active Directory Domain Services. 
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10. 


i Add Roles and Features Wizard 


Tf Dashb TASKS 
IET Select server roles a 


Hi All Sery wnload updates onl} 
ñ File anı Before You Begin Select one or more roles to install on the selected server. ver 
Roles Description 
Active Directory Domain Services pl-Time Protection: ( 
(AD DS) stores information about ktings 
TE STITT objects on the network and makes 
m this information available to users 
L Active Directory Lightweight Directory Services TC-06:00) C 
= :00) Central Tin 
C Active Directory Rights Management Services and network administrators, AD DS ) 
x [C Device Health Attestation uses domain controllers to give t activated 
Confirmation F DHCP Server network users access to permitted 
A DNS Server resources anywhere on the network 
mi Fax Server through a single logon process, 
m File and Storage Services (1 of 12 installed) lel(R) Core(TM) i5-73( 
[| Host Guardian Service B 
C Hyper-V z 
C] MultiPoint Services 51 GB 
C Network Policy and Access Services 
C Print and Document Services 
C Remote Access 
C] Remote Desktop Services 
C] Volume Activation Services 
C Web Server (IIS) TASKS ¥ 
LI Windows Deployment Services 
v 
< Previous Next > Install Cancel 4 
Time 


On the Add Roles and Features Wizard dialogue box, click Add Features. 
Click Next for rest of the screens, and then click Install. 
When the installation is finished, click Close. 


Promote the Server to be a Domain Controller by clicking the Notifications icon 
(Flag Icon) and then selecting Promote this Server to a Domain Controller 


Configuration required for Active Directory Domain 
S = 


es at WIN-DC1 


Promote this server to a domain controller M 


D Feature installation 


All Servers 


Manageabili 


iguration required. Installation succee Events 
N-DC1 


Add Roles and Features 


Services 


Performance 


Task Details BPA results 
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11. On the Deployment Configuration screen, select Add a new forest. Type the 
DNS name for the new domain in Root Domain Name and click Next. 


= fa rer ' LG 


E Active Directory Domain Services Configuration Wizard 


™ Da; Deployment Configuration TAERA TASKS 


Never 

Download updates 
Select the deployment operation 

Never 
>) Add a domain controller to an existing domain 


@ Add a new forest 


Specify the domain inf@ation for this operation 


g existing forest 


Real-Time Protectic 


Settings 
on On 


| |school.local | (UTC-06:00) Centra 


Not activated 


Root domain name: 


More about deployment configurations TASKS 


Server Name ID Severity Source Log Date and Time 

DC-A 1014 Warning Microsoft-Windows-DNS Client Events System 10/9/2018 8:15:47 PM 
DC-A 1014 Warning Microsoft-Windows-DNS Client Events System 10/9/2018 8:01:24 PM 
DC-A 1014 Warnina Microsoft-Windows-DNS Client Events Svstem 10/9/2018 7:46:19 PM 


**DIS recommends you type your abbreviated school district name followed 
by .local e.g. school.local. DO NOT end your domain name with .com, .net, 
.org, .edu, or any other domain name that are resolvable on the internet. 


**This domain name is for INTERNAL resolution only. 


**This step and those following assume this is the first Domain Controller in 
a new domain, tree and forest. 


12. For the Forest Functional Level and the Domain Functional Level, select 
Windows Server 2019 and click Next. 


**/f any previous versions of Windows Server Operating (2012 or 2016 R2 ) 
are present in the domain or will be introduced as Domain Controllers, 
select the corresponding Forest and Domain Functional level. 


** Windows Server 2012 End-of-life mainstream support October 10, 2023 
** Windows Server 2016 End-of-life mainstream support January 11, 2022 
** Windows Server 2019 End-of-life mainstream support January 09, 2024 
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E rar ois ered 


View 


Ña Active Directory Domain Services Configuration Wizard 


— : à TARGET SERVER 
ii z Domain Controller Options DCA a 
Never 
Download update: 
Select functional level of the new forest and root domain 
Never 
Forest functional level: Windows Server 2008 
Domain functional level: Windows Server 2016 
Real-Time Protecti 
Specify domain controller capabilities Settings 
lation On 


[¥] Domain Name System (DNS) server 
v| Global Catalog (GC) 
Read only domain controller (RODC) 


(UTC-06:00) Centr: 
Not activated 


Type the Directory Services Restore Mode (DSRM) password 


Password: intel(R) Core(TM) i 
Confirm password: 4 


More about domain controller options 


TASKS 
< Previous install Cancel 
Server Name ID Severity Source Log Date and Time 
DC-A 1014 Warning Microsoft-Windows-DNS Client Events System 10/9/2018 8:15:47 PM 
DC-A 1014 Warning Microsoft-Windows-DNS Client Events System 10/9/2018 8:01:24 PM 
DC-A 1014 Waring Microsoft-Windows-DNS Client Events System 10/9/2018 7:46:19 PM 


13. | Under Domain Controller Capabilities, make sure that DNS and Global Catalog 
options are selected. 


14. Under Directory Services Restore Mode (DSRM) Password, enter in a complex 
password that is UNIQUE to this server and is NOT your normal administrator 
password and click Next. 


15. On the DNS Options screen click Next. 


**Ignore the Parent zone delegation warning on top of the screen. It will be 
created during initial AD installation. 


16. On the Additional Options screen click Next. 
17. On the Location for Database, Log Files and SYSVOL screen click Next. 


18. On the Review Options screen click Next. 
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19. On the Prerequisites Check screen, review warnings and errors if any. Click 
install to start Domain Controller promotion. 


fad ra A fi 


E Active Directory Domain Services Configuration Wizard 


TARGET SERVER TASKS 


ii Da) Prerequisites Check DC-A 
Never 


ii A! 


Download updates 


ADI Never 
Prerequisites need to be validated before Active Directory Domain Services is installed on this 
ME File Domain computer 
Rerun prerequisites check Real-Time Protectio 
Settings 
@ View results lation On 
Å Windows Server 2016 domain controllers have a default for the security setting named (UTC-06:00) Central 
“Allow cryptography algorithms compatible with Windows NT 4.0" that prevents weaker Not activated 


cryptography algorithms when establishing security channel sessions. 


For more information about this setting, see Knowledge Base article 942564 (http:// 

go.microsoft.com/fwlink/?Linkld=104751). eee ae 
A This computer has at least one physical network adapter that does not have static IP eee rep 

address(es) assigned to its IP Properties. If both IPv4 and IPv6 are enabled for a network 4 

adapter, both IPv4 and IPv6 static IP addresses should be assigned to both IPv4 and 

IPv6 Properties of the physical network adapter. Such static IP address(es) assignment 

should be done to all the physical network adapters for reliable Domain Name System 


A Ifyou click Install, the server automatically reboots at the end of the promotion operation. 


More about prerequisites E 
<Previous | | Next > Cancel g 

Server Name ID Severity Source Log Date and Time 

DC-A 1014 Warning Microsoft-Windows-DNS Client Events System 10/9/2018 8:30:43 PM 

ne-a 101A Waring Mirmenft-\Windnuse ANG Fiant Evante Guctam 10/0/98 8.45.47 DM 


20. When the Active Directory installation finishes, the computer will automatically 
restart. 


ADDITIONAL DNS CONFIGURATION 


REVERSE LOOKUP ZONES 


21. Log into the server when the server has completely booted back up. 


22. Launch Server Manager, click on Tools and select DNS from the drop down list. 


Active Directory Administrative Center 


Active Directory Domains and Trusts 
Active Directory Module for Windows PowerShell 
Active Directory Sites and Services 


File and Storage Active Directory Users and Computers 
Services ADSI Edit 
Manageability Component Services 
Events Computer Management 
Ce Defragment and Optimize Drives 
Services 
Performance Event Viewer 
BPA results Group Policy Ma ement 


iSCSI Initiator 

Local Security Policy 

ODBC Data Sources (32-bit) 
ODBC Data Sources (64-bit) 
Performance Monitor 
Resource Monitor 

Security Configuration Wizard 


Services 
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23. | Expand your server name, right-click on Reverse Lookup Zones and click New 


Zone. 
2 
a 
File Action View Help 
e| am aB m| os 
New Zone Wizard x 


£, DNS 
v m DC-A Zone Type a" 
C Forward Lookup Zones | The DNS server supports various types of zones and storage. - 
Cere] > 
o Trust Points | 
©) Conditional Forwarders | Select the type of zone you want to create: 
@ Primary zone 
Creates a copy of a zone that can be updated directly on this server. 


© Secondary zone 
Creates a copy of a zone that exists on another server. This option helps balance 
the processing load of primary servers and provides fault tolerance. 

O Stub zone 
Creates a copy of a zone containing only Name Server (NS), Start of Authority 
(SOA), and possibly glue Host (A) records. A server containing a stub zone is not 
authoritative for that zone. 


[v] Store the zone in Active Directory (available only if DNS server is a writeable domain 


controller) 
= con 


24. Onthe Zone Type screen, take the defaults and click Next. 


25. For the Active Directory Zone Replication Scope, select To all DNS Servers 
running on domain controllers in this domain and click Next. 


File Action View Help 
|e 9| aml alB m| os 
C] ] New Zone Wizard 
& DNS 
v Ē DC-A 
Forward Lookup Zones 
i Reverse Lookup Zones 


Trust Points ; r 
E E P NE EN Select how you want zone data replicated: 
© To all DNS servers running on domain controllers in this forest: school.local 


@ To all DNS servers running on domain controllers in this domain: school.local 


© To all domain controllers in this domain (for Windows 2000 compatibility): school.local 


x 
Active Directory Zone Replication Scope 
You can select how you want DNS data replicated throughout your network. 
g 
L7 


To all domain controllers specified in the scope of this directory partition: 


26. Select IPv4Reverse Lookup Zone and click Next. 


27. For the reverse zone name, enter the first two/three octets of your IP range 
and click Next. 
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**/f IP range spans multiple “class C subnets” ONLY enter the first two 
octets e.g. if the IP range is 10.10.0.0 to 10.10.1.255, then you would only 
enter 10.10 


28. On the Dynamic Update screen, take the default and click Next. 
29. Click Finish to create the new zone. 


**Steps 23 through 26 must be completed for Public and Private IP subnets being used 
in the Active Directory environment. 


STALE RECORD SCAVENGING 


30. Within the DNS Manager, right-click on your DNS server and click Set 
Aging/Scavenging for All Zones. 


31. Check the box Scavenge stale resource records and then click OK. 


L 
è 
lz 


File Action View Help 
e9|àm XE napa ml gos 


| è DNS Server Aging/Scavenging Properties x 


Myr eee 
[V] Scavenge stale resource records 
| [5 Forward Lookup Zones 


{ (5) Reverse Lookup Zones} —_ No-refresh interval 


E Trust Posts The time between the most recent refresh of a recordings 
[E Conditional Forwarderg and the moment when the timestamp may be refreshed again. 


l 
No-refresh interval: |7 | days v 


Refresh interval 


The time between the earliest moment when a record timestamp 
can be refreshed and the earliest moment when the record can be 
scavenged. The refresh interval must be longer than the maximum 
record refresh period. 


Refresh interval: |7 days v 


an E 


T 


32. When prompted with the Server Aging/Scavenging Confirmation box, check 
the Apply these settings to the existing Active Directory-integrated zones 
option and then click OK. 


**Steps 30 and 32 must be completed on each DNS server. 
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**Static IP Address & DNS Servers must be assigned to the network adapter (not a 
loopback address 127.0.0.1) 

**The correct method is "Self First" (As Preferred DNS), then other DCS as alternates 
**Warning — Do Not Point Windows Server DNS to OpenDNS Virtual Appliance Servers 


Example 
DC1 — IP Address 10.10.10.6 
DC2 — IP Address 10.10.10.7 


**When promoting a new server into an existing Forrest or domain, the new server 
will have to point to another DC first and can then be changed after the server has 
been successfully promoted 


TT = « Network and Internet > Network Connections - ® 


| Organize ~ Disable phic sae ne Me eben cm = Riaamnce thic -ammectinn Renam= thie connection > 


Networking 


C 

q Internet Protocol Version 4 (TCP/IPw4) Properties x 
General 
TH You can get IP settings assigned automatically if your network supports 


- this capability. Otherwise, you need to ask your network administrator 
4 for the appropriate IP settings. 


© Obtain an IP address automatically 
@ Use the following IP address: 


y IP address: E PFE FE FE. 
! Subnet mask: [ 255 . 255 . 248 . 0 
] Default gateway: [10 . 10 . 10 . 1 | 
WS server address automaticall 


@ Use the following DNS server addresses: 


Preferred DNS server: 


Alternate DNS server: 


LNalidate setinas yan exit: 


1 item 1 item selected 


DC-A 10 


DNS FORWARDERS 


By setting the DNS Forwarders to DIS DNS servers, your server will not have to perform 
a full DNS resolution of a requested domain name. Rather, it will query the DNS servers 
at DIS for the specified DNS entry and, if cached, the DIS DNS servers will return the 
results from its local cache. If the DIS DNS Server does not have the result in its cache, it 
will perform the full lookup of the DNS Name, and return the results to your DNS server 
to be delivered to your client. 


With Windows Server 2019, should the DIS DNS Servers become unavailable, your DNS 
server will default to use the DNS Root Hint servers on the Internet for DNS resolution. 


**Exception Cisco Umbrella (OpenDNS Server) — Do Not Use DNS Root Hint 
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1. Within the DNS Manager, right-click your server and click Properties. 


2. Click the Forwarders tab and then click the Edit button. Add the appropriate 
Forwarders for your windows environment. 


3. Enter your DIS DNS Servers / OpenDNS Server as specified below and click OK. 
** OpenDNS Servers are used for Cisco Umbrella Content Filtering 


DIS DNS Servers 
DNS = 170.94.156.195, 170.94.156.196 Little Rock DNS Servers 
DNS = 66.204.1.66 Fayetteville POP DNS Server 


File Action View Help DC-A Properties 


Debug Logging Event Logging Sec 
= ONS Interfaces Forwarders Advance: A Reet Hints 


Forwarders are DNS servers that this server can use to resolve DNS 
quenes for records that this server cannot resolve 


IP Address 
170.94.156.195 
170.94.156.196 
66.204.1.66 


OK Cancel 


**Please remove all old state DIS DNS Servers (165.29.X.X and 170.211.X.X) 


OpenDNS Servers — Cisco Umbrella (OpenDNS) 
DNS = 208.67.222.222, 208.67.220.220, 208.67.222.220, 208.67.220.222 


File Action View Help DC-A Properties 
{ Debug Logging Event Logging s 
| =, DNS interfaces Forwarders Advanced Root Hints 


Forwarders are DNS servers that this server can use to resolve DNS 
queries for records that this server cannot resolve 


IP Address 
208.67.222.222 
208.67.220.220 
208.67.222.220 


r sire eae 
: 
em Ponty Hele 


sed ir © cre: r view co! ni 
forwarders, navig: | Forwarders node in the scope tree 


\ 


**Warning — Do Not Point Forwarders to OpenDNS Virtual Appliance Servers 
**Do Not Use Google DNS Servers 8.8.8.8, 8.8.4.4 - (Lockdown Browser) 
**Uncheck — Use root hints if no forwarders are available (Do Not Use) 


4. Click Apply and then OK. 


5. Close the DNS Manager 
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DHCP INSTALLATION AND CONFIGURATION 


1. Launch Server Manager. 


2. Click Manage and then select Add Roles and Features. 


| Manaaqe Tools View Help 


Add Roles and Features = 


Remove Roles and Features 


Add Servers 


aoe Create Server Group 


Not configu Server Manager Properties 
Never = 
Off 

ent Program Not participating 

ion On 


(UTC-O08:00) Pacific Time (US & Canada) 
00183-90000-00001-AA422 (activated) 


3. On the Before You Begin screen, click Next. 


4. Onthe Select Installation type screen, select Role-based or Feature-based 
installation and click Next. 


5. | On the Select Destination server screen, click Next. 


6. On the Select server roles screen, select the DHCP Server role, click on Add 
Features and click Next. 


7. Click Next for rest of the screens, and then click Install. 
8. When the installation is finished, click Close. 


9. Configure the DHCP Server installation by clicking the Notifications icon (Flag 
Icon) and then selecting Complete DHCP configuration. 
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A Post-deployrment Configura... 


Configuration required for DHCP Server at WIihi-DOC 


Performa 


Task Detads BPA resul 


11. On the Authorization screen, click Commit. 


12. | Now that DHCP Server role has been installed, we will configure it in DHCP 
Manager by clicking on Tools and selecting DHCP from the drop down list. 


Active Directory Administrative Center 


Active Directory Domeins and Trusts 

Active Directory Module for Windows PowerShell 
Active Directory Sites and Services 

Active Directory Users and Computers 

ADSI Edit 

Component Services 

22 q Computer Management 


2a faa tand Optimize Drives 


DNS 
Event Viewer 
Group Policy Mandement 


iSCSI Initiator 


Local Security Policy 

ODBC Data Sources (32-bit) 
ODBC Data Sources (64-bit) 
Performance Monitor 
Resource Monitor 

Security Configuration Wizard 
Services 


System Configuration 


System Information 
Task Scheduler 


13. Expand the server node and IPv4 node until you see Server Options, Policies. 
14. Right click on IPv4 and select New Scope. 


15. On the Scope Name screen enter the Scope name and description you want 
to use for this scope e.g. IP NAT POOL 

16. On the IP Address Range screen type in the starting and ending IP address 
for this scope along with the subnet mask. This is the range of IP addresses 
this DHCP server will be issuing. Click Next. 
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17. 


18. 


19. 


20. 


21. 


22. 


23. 


**]t is recommended to leave a few numbers at the start of the scope for 
static assignment e.g. if the IP range is 10.10.10.0 - 10.10.11.255 enter 
10.10.10.51 for the Starting IP Address and 10.10.11.254 for the Ending IP 
Address to leave 50 IP’s at the beginning of your IP range for static 
assignment. 


On the Exclusion screen enter the IP addresses you want to be excluded from 
the DHCP range defined in the previous step and then click Next. 


On the Lease time screen take the default values unless required otherwise 
and Click Next. 


On the Configure DHCP options screen select No, I will configure these 
options later and click Next and then Finish to close the wizard. 


Right click Server Options and select Configure Options. From the list 
opened select the following options: 


- 003 Router --- Gateway Address for devices 

- 006 DNS Server --- On premises DNS Servers typically DCs 
- 015 DNS Domain Name --- Domain name e.g. school.local 

- 044 WINS/NBNS Server --- On premises WINS Servers 

- 046 WINS/NBT Node Type --- Recommended to be configured as 0x8 


Right-click IPv4 and select Properties. Under the Advanced tab, for Conflict 
Detection Attempts, change this value to 3. 


Also, under Advanced tab click on the Bindings button and verify that the 
only network adapter checked is the adapter that is on the same subnet the 
DHCP server will be serving IP addresses for. 


Once all the settings are done, right click on the newly created scope and 
select Activate for the DHCP server to start giving out IP numbers. 


WINS INSTALLATION AND CONFIGURATION 


1. 


Launch Server Manager. 


Arkansas Department of Information Systems — APSCN LAN Support 
Printed on 5/16/2022 


32|Page 


2. 


12. 


13. 


Click Manage and then select Add Roles and Features. 


| Manage 
| Add Roles and Features ~ 


Remove Roles and Features ` 


Add Servers 


ier Create Server Group 


Not configy Server Manager Properties 
Never 


Off 

ent Program Not participating 

ion On 
(UTC-O8:00) Pacific Time (US & Canada) 
00183-90000-00001-AA422 (activated) 


On the Before You Begin screen, click Next. 


On the Select Installation type screen, select Role-based or Feature-based 


installation and click Next. 
On the Select Destination server screen, click Next. 


On the Select server roles screen, click Next. 


On the Select features screen, select WINS Server, click on Add Features and 


then click Next and then click Install. 


Add the WINS IP addresses to each respective network cards in all servers. 


If multiple WINS servers are being deployed, they need to be added as 


replication partners under WINS manager. 


Open up WINS Manager by selecting Tools in the Server Manager and then 


selecting WINS from the drop down list. 


Expand the respective WINS Server and click on Replication Partners. 


Right-click Replication Partners and select New Replication Partner. 


Enter the respective server name that will be replicating with this WINS 


server and close WINS manager. 


**Steps 12 and 13 needs to be repeated for all WINS servers in the domain. 
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WINDOWS SERVER UPDATE SERVICES (WSUS) 


Microsoft Windows Server Update Services (WSUS) enables information technology 
administrators to deploy latest Microsoft product updates to systems running Microsoft 
products. By using Windows Server Update Services, you can fully manage the 
distribution of updates that are released through Microsoft Update to computers in 
your network. 


For Windows Server 2019, WSUS requires the following: 
e At least Microsoft Internet Information Services (IIS) 6.0 
e Atleast Microsoft .Net Framework 2.0 
e WSUS 4.0 Management Console requires at least Windows 8 
e 1GB of free space on system partition. 
**You will want to have a WSUS server at each physical site that is behind a router. 


The reason is that you do not want to have computers go across the WAN connection 
to get their updates. 


CONFIGURING WSUS AFTER INSTALLATION 
1. Launch Server Manager. 
2. Click Manage and then select Add Roles and Features. 
3. On the Before you begin page, click Next. 


4. On the Select Installation type screen, select Role-based or Feature-based 
installation and click Next. 


5. On the Select Destination server screen, click Next. 
6. On the Select Server roles page, select Windows Server Update Services. 


7. Inthe Add Roles and Features dialog box that pops up, click Add Features 
and then click Next. 


8. On the Select features page, leave the default selections, and then 
click Next. 


**WSUS only requires the default Web Server role configuration. If you are 
prompted for additional Web Server role configuration while setting up 
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WSUS you can safely accept the default values and continue setting up 
WSUS. 


9. On the Windows Server Update Services page, click Next. 


10. On the Select Role Services page, leave the default selections unless an 
external SQL Server database is being used, and then click Next. 


DESTINATION SERVER 


Select role services WIN-DC1 schoollocal 


Select the role services to install for Windows Server Update Services 
Role services Description 


Is th yy Wi 
TEID Database Installs the database used by WSUS 
x into WID. 
v| WSUS Services 


Database 


< Previous stal Cancel 


11. On the Content location selection page, type a valid location to store the 
updates e.g. D:\WSUS and then click Next. 


**You must have at least 200GB of free disk space, on the volume selected 
to store updates locally. 


12. On the Web Server Role (IIS) page, click Next. 


13. On the Select role services page, leave the default selections, and then 
click Next. 


14. On the Confirm installation selections page, review the selected options, 
and then click Install. 


15. On the Installation progress page, make sure that the installation succeeded, 
and then click Close. 


16. Now that WSUS role is installed, it will be configured by clicking on Tools and 
selecting Windows Server Update Services from the drop down list. 
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17. On the Complete WSUS Installation dialog box appears, click Run. 


The locally hosted WSUS Server requires additional steps in order to complete 
the installation. WSUS post-installation process can run those steps for you. 
Would you like to run it now? 


Store updates locally 
Content directory path: |C:\WSUS 


== 


18. In the Complete WSUS Installation dialog box, click Close when the 
installation successfully finishes. 


19. The Windows Server Update Services Wizard appears and on the Before you 
Begin page, click Next. 


20. Read the instructions on the Join the Microsoft Update Improvement 
Program page and evaluate if you want to participate or not. If you do not 
want to participate, Uncheck the box and click Next. 


21. On the Choose Upstream Server page, select Synchronize from Microsoft 
Update and click Next. 


**If you are synchronizing from another WSUS server from within the 
district, be sure to enter the proper port number that WSUS is running on 


remotely. 


22. On Specify Proxy Server settings, leave the default values, unless these 
settings are required for your environment and then click Next. 


23. On the Connect to Upstream Server, click Start Connecting to retrieve the 
current updated list of products available. 


24. When the initial product file download is completed, click Next. 


25. On the Choose Languages page, verify that English is the ONLY selected 
language and then click Next. 


26. On the Choose Products page, choose the Microsoft products running in 
your environment that will require updates and click Next. 
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27. On the Choose Classifications page, it is recommended to select everything 
EXCEPT Drivers and click Next. 


28. On the Set Sync Schedule page, select Synchronize automatically and set 
this to off-peak usage hours e.g. 11:00pm and then click Next. 


29. Click Finish on the next screen to complete the configuration wizard. 


30. On the Update Services management console screen, expand your WSUS 
Server and click Options. 


31. In the Options pane, select Update Files and Languages. Uncheck the 
Download update files to this server only when the updates are approved 
and click OK. 


Update Files | Update Languages | 


=f You can specify where to store update files. Storing files locally requires 


==] sufficient disk space. 


@ Store update files locally on this server 


Download update files to this server only when updates are approved 


Download express installation files 


Express installation files provide faster download and installation on 
computers, but are larger and will increase download times for your 
server. 


D Do not store update files locally; computers install from Microsoft Update 


Note: Saving file and language settings may take several minutes. During this 
time, computers cannot receive updates and other settings cannot be saved. 


ors 


**If you choose to manually approve updates, your workstations will not 
have to wait until after the next WSUS Sync with Microsoft to get the 
updates. 

32. In the Options pane, select Automatic Approvals. 


33. Select the Default Automatic Approval Rule and click Edit. 


34. In the Step 2 box, click on Critical Updates, Security Updates. 
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Ee Select which updates to approve and the groups for which to approve them. 


Step 1: Select properties 

[V] When an update is in a specific classification 
C] When an update is in a specific product 

C] Set a deadline for the approval 


Step 2: Edit the properties (click an underlined walue) 
When an update is in Critical Updates, Security Updates 
Approve the update for all computers 


Step 3: Specify a name 
Default Automatic Approval Rule 


35. Select all classification items EXCEPT drivers and click OK. 


**Some districts choose not to select Feature Packs. These include items 
such as Silver Light and Desktop Search. 


36. Verify that Default Automatic Approval Rule is checked. Click Apply and OK 


Update Rules | Advanced 


i= You can specify rules for automatically approving new updates when 
E] they are synchronized. 


Rule properties (click an underlined walue to edit) 


When an update is in Critical Updates. Definition Updates, Feature Packs 


Security Updates. Service Packs, Tools. Update Rollups. Updates 
Approve the update for all computers 
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WSUS Group POLICY 


1. Launch Server Manager. 
2. Click on Tools and select Group Policy Management from the drop down list. 
3. Expand Forest: yourdomain.local. 


4. Expand Domains and then expand yourdomain.local and navigate to Group 
Policy Objects. 


5. Right-click on the Group Policy Objects and then select New. 
6. Name the new group policy WSUS Policy and click OK. 


7. Expand Group Policy Objects. Right-click the newly created WSUS Policy and 
click Edit to open the Group Policy Editor. 


8. Expand Computer Configuration > Policies > Administrative Templates > 
Windows Components and select Windows Update. 


9. Double-click on Configure Automatic Updates, change Not Configured to 
Enabled and select option 4 — Auto Download and schedule install under 


Configure automatic updating drop-down menu. 


10. Set the desired scheduled install day and time. 


EE] Configure Automatic Updates 


Previous Setting 


O Not Configured Comment: 


@ Enabled 


Windows XP Professional Service Pack 1 or At least Windows 2000 Service Pack 3 


Options: Help: 


Configure automatic updating: 
3 eee Specifies whether this computer will receive security updates 


anyother important downloads through the Windows automatic | _ 
‘dating service. "m 


z “ This setting lets you specify whether automatic updates are 


enabled on this computer. If the service is enabled, you must 
select one of the four options in the Group Policy Setting: 


0 - Every day 2 = Notify before downloading any updates and notify again 


Ieee eae el before installing them. 
When Windows finds updates that apply to this computer, 
an icon appears in the status area with a message that updates 
are ready to be downloaded. Clicking the icon or message 
provides the option to select the specific updates to download. 
Windows then downloads the selected updates in the 
background. When the download is complete, the icon appears 
in the status area again, with a notification that the updates are 
ready to be installed. Clicking the icon or message provides the 
option to select which updates to install. = 


OK Apply 
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11. 


12. 


13. 


14. 


15. 


16. 


17. 


18. 


19. 


20. 


Click the Next Setting button to change to Specify Intranet Microsoft Update 
Services Location window. 


Change Not Configured to Enabled and in both entry boxes enter 
http://YourWsusServername:8530 and then click OK. 


Click the Next Setting button to change to Automatic Updates detection 
frequency window. 


Change Not Configured to Enabled, leave the default value for Interval 
(hours) and then click OK. 


Double-click on Allow Automatic Updates immediate installation, change 
Not Configured to Enabled and then click OK. 


Double-click on No auto-restart for scheduled Automatic Updates 
installations, change Not Configured to Enabled and then click OK. 


Double-click on Reschedule Automatic Updates Scheduled Installations. 


Change Not Configured to Enabled, change the startup (minutes) to any 
value between 1 — 5 (recommended) and then click OK. 


Close the Group Policy Management Editor. 


Drag and Drop WSUS Policy on the Workstations OU to link the policy to 
everything residing under Workstations. 


**]t is recommended to have a separate Group Policy for Domain Servers and Domain 
workstations to avoid automatic restart on servers. 
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Basic ACTIVE DIRECTORY STRUCTURE FOR K12 


SINGLE SITE ACTIVE DIRECTORY NETWORKS 


1, 


2. 


Launch Server Manager. 


Click on Tools and select Active Directory Users and Computers from the 
drop down list 


Active Directory Administrative Center 
Active Directory Domains and Trusts 


File and Storage 


Services 
Manageability Component Services nS 
Events Computer Management 
g te Defragment and Optimize Drives 
Services DNS 
Performance Event Viewer 
BPA results Group Policy Management 


iSCSI Initiator 

Local Security Policy 

ODBC Data Sources (32-bit) 
ODBC Data Sources (64-bit) 
Performance Monitor 
Resource Monitor 

Security Configuration Wizard 
Services 

System Configuration 
System Information 

Task Scheduler 


Right-click on YourDomain.LOCAL, click New, then Organizational Unit (OU). 
Enter Faculty as the name of the new Organizational Unit then click Next. 
**Uncheck the Protect container from accidental deletion box before 


selecting Next if you do NOT want to automatically protect the OU from 
being deleted or moved. 
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File Action View Help 


e9 àm sO|XSGa\ Pe teuvar 


E Active Directory Users and Comput} Name 
C] Saved Queries 


> (5) Computers 

p Æ Domain Controllers 

p © ForeignSecurityPrincipals 
p C] Managed Service Accounts 


Type 


Description 


There are no items to show in this view, 


**Repeat Steps 2 and 3 for Organizational Units required in your Active Directory 
environment e.g. Students, Workstations, Domain Member Servers, and Custom 


Security Groups. 


File Action View Help 


e9 ain oO) GS|Ba teaver 


E Active Directory Users and Computers || Name 
p F] Saved Queries | ©) Builtin 
4 # SCHOOL.LOCAL | E Computers 


b © Builtin | E Custom Sec... 


p (5) Computers E Domain Con... 


b E Custom Security Groups E Domain Me. 
b E Domain Controllers | Faculty 
< Domain Member Servers 


p E Administration 
b © Elementary 
b E HighSchool 
> E Technology 


E] Students 
E Users 
Workstations 


p E ForeignSecurityPrincipals 
p Managed Service Accounts 


E Workstations 
b Ñ Elementary 
p E Faculty 
p E HighSchool 
b E Technology 


E ForeignSecu... 
i] Fi 
oe E Managed Se... 


Type 
builtinDomain 
Container 


Organizational... 
Organizational... 
Organizational... 
Organizational... 


Container 
Container 


Organizational... 


Container 


Organizational... 


Description 


Default container for up... 


Default container for do... 


Default container for sec... 
Default container for ma... 


Default container for up... 
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Now that we have our basic OU structure setup, we need to create our security groups. 

It is best to use security groups to assign permissions rather than assigning permissions 

to network shares using individual accounts. It is much easier to find where someone is 
getting incorrect access to something if access to files and shares is based off of security 
groups. 


5. Right-click on the Custom Security Groups OU then click New Group. 


6. Name this group Faculty and click OK. 


Rg, Create in: SCHOOL.LOCAL /Custom Security Groups 


Group name: 
Faculty 


Group name (pre-Windows 2000): 
Faculty 


Group scope Group type 


O Daman oc 
© Global © Distribution 
© Universal 


Coc] [ cencet | 


**Repeat Steps 4 and 5 for all Custom Security Groups required in your Active 
Directory environment e.g. Students, Journalism, YearBook, and Technology etc. 


**/f you are running Active Directory over multiple sites (behind more than one 
router), you would want to create an OU for each site, place Workstations, Faculty, 
and Students OU’s under that Site OU. You can delegate campus level technicians to 
be able to have the authority to maintain user accounts, computer accounts, etc. that 
reside only in their campus’ OU. 


CREATE SHARES AND HOME DIRECTORIES 


The first thing we need to do before we can create our user template is to create a 
network share for the home directories. 


1. Open Computer and browse to the volume that will hold the faculty 
home-directories. 
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**]t is recommended that Faculty and Student Home folders be stored 
on individual volumes. Do not place them on the same volume or on the 
DATA volume. 

2. Create a new folder called Faculty-Homes. 

3. Right click on the Faculty-Homes folder and click Properties. 

4. Select on the Sharing tab and click the Advanced Sharing button. 

5. Select the Share this folder check box. 

6. For the share name type Faculty-HomesS. 

**When sharing folders or drives with Windows, if a dollar sign ($) 
character is added to the end of a share name, the share name does not 
appear in a browsed list of available shares on the server. 

7. Click on the Permissions button. 

8. Select Everyone and click Remove. 

9. Click Add. In the name box enter Domain Admins, Administrators, 
Faculty, and each separated by a semi-colon. Click the Check Names 
button and then click OK. 

**/f a name or group is misspelled or not found in the Directory, you will 
be prompted to correct the spelling or to distinguish the proper group, 
should the same text exist within multiple groups. 


10. Give Domain Admins and Administrators both Full Control. 


11. Give the Faculty group Change rights, they will receive Read 
automatically. 


12. Click on the Caching button. Select No files or programs from this 
shared folder will be available offline. 


**Unless required, it is NOT recommended to allow offline file-caching 
for any network shares as these files will be synced at every log off for 


every user using the share. 


13. Click OK, Apply, and then OK until all property windows are closed. 
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14. Select the Security tab and click the Advanced button. 


| General | Sharing Previous Versions | Customize 


Object name: C:\Faculty-Homes 


Group or user names: 

S23, SYSTEM 

&2, Administrators (SCHOOL\Administrators) 
2, Users (SCHOOL\Users) 


To change pennissions, click Edit. 


Permissions for CREATOR 
OWNER 

Full control 

Modify 

Read & execute 

List folder contents 


Leam about access control and permissions 


For special permissions or advanced settings. [Advanced ] ST 
click Advanced. = 


15. On the Advanced Security Settings page, click on Disable inheritance. 


**By Default all folders created have “Inheritance” turned on which 
means that the folder inherits its rights from its parent folder. The 
easiest way to distinguish this is to notice that the Allow or Deny 
selection boxes will be grayed out for a user or group that is getting 
rights through inheritance. 
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Name: C:\Faculty-Homes 


Owner: Administrators (SCHOOL\Administrators) ð Change 


Permissions | Share | Auditing | Effective Access | 


For additional information, double-click a permission entry. To modify a permission entry, select the entry and click Edit (if available). 


Permission entries: 


Type Principal Access Inherited from Applies to 
x, Allow SYSTEM Full control CA This folder, subfolders and files 
x Allow Administrators (SCHOOL\Ad... Full control G This folder, subfolders and files 
Rg Allow Users (SCHOOL\Users) Read & execute CA This folder, subfolders and files 
EA Allow Users (SCHOOL\Users) Special (y This folder and subfolders 
&è, Allow CREATOR OWNER Full control (6y Subfolders and files only 


Add 


Disable inheritance 
Replace all child object ne inheritable permission entries from this object 


OK 


16. A dialog box prompting that permission inheritance from the parent 
folder is being blocked will popup. 


17. Select Convert inherited permissions into explicit permissions on this 
object. 


A What would you like to do with the current inherited permissions? 


You are about to block inheritance to this object, which means that permissions 
inherited from a parent object will no longer be applied to this object. 


| > Convert inherited permissions into explicit permissions on 
this object. 


Pa + Remove all inherited permissions from this object. 


18. Click Apply and then OK to return to the Faculty-Homes Properties 
screen. 


19. Your permissions to Faculty-Homes should now look like the following 
screen. 
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[General | Sharing | Securty [Previous Versions | Gustomize | 


Object name: C:\Faculty-Homes 


Group or user names: 


* 5 CREATOR OWNER 
ga, SYSTEM 

&2, Administrators (SCHOOL\Administrators) 
&2, Users (SCHOOL\Users) 


To change permissions, click Edit. 


Permissions for CREATOR 
OWNER 
Full control 
Modify 
Read & execute 
List folder contents 
Read 
Write 
For special permissions or advanced settings. 
click Advanced. 


Leam about access control and pernnissions 


20. Click on Edit button and remove all Groups from the list except 
Administrators group. 


21. Click on Add, enter Domain Admins and click OK. 


22. Click on Domain Admins, then under Permissions for Domain Admins 
check Full Control under Allow section. Click Apply and OK. 


Object name: C-\Faculty-Homes 


Group or user names: 


s Domain Admins (SCHOOL*Domain Admins) 


To change pennissions. click Edit. 


Permissions for Domain Admins 


For special pennissions or advanced settings. 
click Advanced. 


Leam about access control and pennissions 
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CREATING USER TEMPLATE 


Now that the network share to store home directories is set up, User template will be 
created using the following steps: 


23. 


24. 


25. 


Launch Server Manager, click on Tools and select Active Directory Users 


and Computers from the drop down list. 


Right click on the Faculty OU, select New, and then User. 


EJ Saved Queries 

eq school.local 

b C] Builtin 

b (2) Computers 

b Æ Domain Controllers 


b Domain Member Servers 
Fac- 


ctive Directory Users and Computers [WIN-DC]|| Name 
ry P 
b 
4 


Delegate Control... 


p> D Fore 

b A Mar Move... 

b Stud Find... | 

SS cee LR computer 

oh All Tasks | Contact 

View > | Group 
Cut InetOrgPerson 
Delete | msImaging-PSPs 
Rename MSMQ Queue Alias 
Refresh Organizational Unit 
Export List... Printer 

zi cs | Shared Folder 


Se 


z 


In the information screen fill it out as shown in this screen and then click 


Next. 


school local/Faculty 


First name: 


Last name: 


Full name: 


User logon name: 


l Ftemplate| @school local 


User logon name (pre-Windows 2000): 


[SCHOOLN. ] Ftemplate 


**An underscore before the first name places the template at top of the 


list within the Organizational Unit. 
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26. 


Enter a password for the template account that meets the minimum 
password requirements. Make sure User much change password at next 
logon and Account is disabled are checked and click Next. 


**]t is recommended that a template account is ALWAYS disabled after 
creation. 


2, Create in: school local/Faculty 


Password: joccccccece| 


Confirm password: eeccecces 


[v] User must change password at next logon 


User cannot change password 
Password never expires 


[v] Account is disabled 


Now that the template account is set up, it needs to be configured for login script, home 
directory path, and make sure that this template is a member of the required security 
group(s) by following these steps: 


27. 


28. 


29. 


30. 


31. 


32. 


33. 


Right-click on the _Faculty Template account and click Properties. 

Click on the Member Of tab and then click on Add. 

In the Select Groups box, type Faculty and click Check Names. Add any 
additional security group this template needs to be a member of and 
then click OK. 

Click on the Profile tab and in the Logon Script text box, enter logon.bat 
Under the Home folder section, click the radio button next to Connect. 
Select the drive letter to be used for user’s home directory when it is 


mapped. 
In the To: text box enter \\servername\Faculty-Homes$\%username% 
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Remote Desktop Services Profile 


| Profile | Telephones | Organization 


Profile path: 
Logon script: 


Home folder 
© Local path: 


H: | To: [\win-de1faculty-homes$\%userr 


34. Click Apply and then OK. 


**The %username% in the home directory path will automatically 
change to the login id of the user. 


35. This will create a new subfolder called Ffemplate under Faculty-Homes 
folder with the proper rights. 


CREATING NEW USER USING TEMPLATE 
To create a new account based off the template, use the following steps: 
1. Right click on the _Faculty Template account and click Copy. 


2. In the Information screen fill it out the information for the New User and 
then click Next. 
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3. | Make sure that the Account is disabled box is Unchecked when creating 
a real user account. Click Next and then Finish to complete the creation. 


[V] User must change password at next logon 


LC] User cannot change password 
[C] Password never expires 
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CREATING FACULTY & STUDENT BATCH FILE FOR ACTIVE DIRECTORY — MASS IMPORT 


Script for Active Directory (AD) Name Importing 
**Notes: Must be revised for the domain!!! (school.local) 


Student Script: (Column F) 

="dsadd user " & CHAR(34) & "CN=" & PROPER(A1) & "" & PROPER(B1) & ",OU=" & C1 & 
" OU=Students,DC=school,DC=Local" & CHAR(34) & " -samid " & PROPER(A1) & "." & 
PROPER(B1) &" -upn " & Lower(D1) & "@school.local -fn " & PROPER(A1) & " -In " & 
PROPER(B1) &" -display " & CHAR(34) & PROPER(A1) & " " & PROPER(B1) & CHAR(34) & 
" -pwd " & E1 &" -mustchpwd Yes -memberof 

CN=Students,OU=Students, DC=school,DC=Local" 


Faculty Script: (Column F) 

="dsadd user " & CHAR(34) & "CN=" & PROPER(A1) &"" & PROPER(B1) & ",OU=" & C1 & 
" OU=Faculty,DC=school,DC=Local" & CHAR(34) &" -samid " & PROPER(A1) &"." & 
PROPER(B1) &" -upn " & Lower(D1) & "@school.local -fn " & PROPER(A1) & " -In " & 
PROPER(B1) &" -display " & CHAR(34) & PROPER(A1) &" " & PROPER(B1) & CHAR(34) & 
" -pwd " & E1 &" -mustchpwd Yes -memberof 
CN=Faculty,OU=Faculty,DC=school,DC=Local" 


SPREAD SHEET DATA EXAMPLE 


OU =CONCATENATE(A1,".",B1) | Password | STUDENT 
NAME | NAME | Graduation (default) / 
Year FACULTY 
SCRIPT 


FACULTY 
SCRIPT 


FACULTY Jane.Smith 


High School 


SPREAD SHEET REFERENCE GUIDE 


STUDENT & FACULTY IMPORT SPREADSHEET EXAMPLE - Excel ca = o 


Christopher Dodds a Share 


Cut cn d i. ec ) So Bx SS) ZAutosum + A 
m >) aD “AK ==B& |Fweptet General E ; y TeL Fri- oT. eo 
Paste = , + &-A- ZZE EEDS TEn €0 00 Conditional Formatas Cell Insert Delete Format Sort & Find & 

V Format Painter BIU- _- Q-A SES EE|EMegk Crte $-% 9 ‘38 Formatting E T z Clear Filter» Select ~ 


John Smith 2019 John.Smith Password1$ dsadd user "CN=John Smith, OU=2019,0U=Students,DC=school,DC=Local" -samid John. Smiti 


2 

3 Jane Smith Faculty Jane.Smith Password1$ dsadd user "CN=Jane Smith,OU=Faculty,OU=Faculty,DC=school,DC=Local” -samid Jane.Smit}) 
4 

5 
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1. Create Organizational Units (OU’s) in Active Directory (AD) new accounts 


File Action View Help 
e| 2m o|\SeS|/bm| Sarak 


Go Active Directory Users and Computers || Name Type Description 


> Gl Saved Queries _ E Buittin builtinDomain 
4 [dj SCHOOL.LOCAL| Computers Container Default container for up... 
b E] Builtin E] Custom Sec... Organizational... 
> El Computers Domain Con... Organizational... Default container for do... 
bE Canton’ Scenes Sapi Domain Me... Organizational... 
b E] Domain Controllers ll Faculty 
a Domain Member Serie 
4 E] Faculty 
b B] Administration 
b E Elementary 
b E HighSchool 


Organizational... 
E ForeignSecu... Container Default container for sec... 
Managed Se... Container Default container for ma... 
Students Organizational... 
E users Container Default container for up... 
E Workstations Organizational... 


4 5 Workstations 
b E Elementary 
b Gi Faculty 
b E] HighSchool 
b E] Technology 


2. Student Graduation Year Reference Guide 
** Add graduation year versus grade level for data management 


State law requires student logins for Grades 4th - 12th Grades 


2022 
2023 
2024 
2025 
2026 
2027 
2028 
2029 
2030 
2031 
2032 
2033 


PNWAUANDO 


3. Export Student / Faculty File from Cognos (excel csv.) 


4. Open Excel Spreadsheet with Student / Faculty Data & Copy Data into 
Correct Columns (A,B,C,D,E & F) 
**Data must be texted to columns and all special characters removed 


STUDENT & FACULTY IMPORT SPREADSHEET EXAMPLE - Excel = 
Christopher Dodds Q Share 


=e 


Merge t Center + $% on Conditional Format as Cell Ist DeleFomat y Sort Find & 


Ho Caibi E a -| y 


= Formatting’ Table” Syse v7 7 Cer Filter” Select® 


Cipord Fant R Alignment Number Shes Cas Eding A 


John Smith 2019 John Smith Password1$ _dsadd user "CN=lohn Smith OU=2019 0U=Students, DC=school DC=Local" -samid John Smit 
Jane Smith Faculty Jane.Smith Password1S  dsadd user "CN=lane Smith, OU=Faculty OU=Faculty DC=school DC=Local" -samid Jane. Smit 
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5. Copy Data from Column F and save to New Text Document (.txt) 


File Edit Format View Help 


Hsadd 
dsadd 
dsadd 
dsadd 
dsadd 
dsadd 
dsadd 
dsadd 
dsadd 
dsadd 
dsadd 
dsadd 
dsadd 
dsadd 
dsadd 
dsadd 
dsadd 
dsadd 
dsadd 
dsadd 


user 
user 
user 
user 
user 
user 
user 
user 
user 
user 
user 
user 
user 
user 
user 
user 
user 
user 
user 
user 


"CN=Charlie Brown, 0U=2018,0U=Students ,DC=school,DC=Local" -samid Charlie.Brown -upn charlie.brown@school.local -fn Charlie -1n Brown -d 
"CN=Johnny Appleseed, OU=2018,0U=Students ,DC=school,DC=Local" -samid Johnny.Appleseed -upn johnny.appleseed@school.local -fn Johnny -1n 1 
"CNeMichael Jackson,OU=2019,0UsStudents,DC=school,DC=Local” -samid Michael. Jackson -upn michael. jackson@school.local -fn Michael -1n Jai 
"CN=Abraham Lincoln,OU=2020,0U=Students,DC=school,DC=Local” -samid Abraham.Lincoln -upn abraham. lincoln@school.local -fn Abraham -1n Li 
"CN=Brad Pitt, 0U=2021,0U=Students,DC=school,DC=Local" -samid Brad.Pitt -upn brad.pitt@school.local -fn Brad -ln Pitt -display “Brad Pit 
"CN=Robert Downey, 0U=2022,0U=Students ,DC=school,DC=Local" -samid Robert.Downey -upn robert.downey@school.local -fn Robert -1n Downey -d 
"CN=Tom Cruise, 0U=2023,0U=Students,DC=school,DC=Local" -samid Tom.Cruise -upn tom.cruise@school.local -fn Tom -ln Cruise -display "Tom 

"CN=Tom Hanks , OU=2024,0U=Students,DC=school,DC=Local" -samid Tom.Hanks -upn tom.hanks@school.local -fn Tom -ln Hanks -display "Tom Hank: 
"CN=Matt Damon ,0U=2025,0U=Students ,DC=school,DC=Local" -samid Matt.Damon -upn matt.damon@school.local -fn Matt -ln Damon -display "Matt 
"CN=Jed Clampett,0U=2@26, 0U=Students ,DC=school,DC=Local” -samid Jed.Clampett -upn jed.clampett@school.local -fn Jed -1n Clampett -displi 
"CN=Mickey Mouse, 0U=2018, 0U=Students ,DC=school,DC=Local" -samid Mickey.Mouse -upn mickey.mouse@school.local -fn Mickey -1n Mouse -displ 
"CN=Daffy Duck, OU=2019,0U=Students,DC=school,DC=Local" -samid Daffy.Duck -upn datfy.duck@school.local -fn Daffy -ln Duck -display "Daff 
"CN=Homer Simpson, 0U=202@,0U=Students ,DC=school,DC=Local" -samid Homer.Simpson -upn homer.simpson@school.local -fn Homer -ln Simpson -d 
"CNsStewie Griffin,0U=2021,0U=Students ,DC=school,DC=Local" -samid Stewie.Griffin -upn stewie.griffin@school.local -fn Stewie -ln Griffil 
"CN=Fred Flintstone,OU=2022,0U=Students,DC=school,DC=Local” -samid Fred.Flintstone -upn fred.flintstone@school.local -fn Fred -1n Flint 
“CN=Foghorn Leghorn, OU=2023,0U=Students ,DC=school,DC=Local” -samid Foghorn.Leghorn -upn foghorn.leghorn@school.local -fn Foghorn -1n Le; 
"CN=hoody Woodpecker ,OU=2024,0U=Students ,DC=school,DC=Local" -samid Woody.Woodpecker -upn woody.woodpecker@school.local -fn Woody -ln Wi 
"CN=Peter Rabbit, 0U=2025,0U=Students ,DC=school,DC=Local" -samid Peter.Rabbit -upn peter.rabbit@school.local -fn Peter -1n Rabbit -displ. 
"CNsElmer Fudd, OU=2026,0U=Students ,DC=school,DC=Local" -samid Elmer.Fudd -upn elmer.fudd@school.local -fn Elmer -ln Fudd -display "Elme! 
"CN=Porky Pig, 0U=2027,0U=Students,DC=school,DC=Local" -samid Porky.Pig -upn porky.pig@school.local -fn Porky -ln Pig -display “Porky Pi, 


6. Rename texted document to batch file (.bat) and Change Save as type: All 
Files 


J| Save As x 


Organize ~ 


tõ OneDrive 


S This PC 


5 


Tn Desktop 


Ta 
i 
» 
& 


tT @ VM > Class Supporting Docu... < 


New folder 


a 


Name Date modified Type 


1 2 € 1 3 PM Text 
rad year 6/7: o 11:55 AM Text 

3D Objects ai 
login warning 5/2011 


Logon Title 6/1 01 PM Text [ 
Documents 


Downloads 
Music 


Pictures 


E Videos 


A 


A Hide Folders 


Windows (C: 


File name: 


student import.bat 


Save as type: All Files 


Encoding: ANSI Cancel 


Save 


file and Run 


Supporting Documents 


Supporting Documents: gtudent import .bat 


& new user accounts should be in their perspective OU’s 
**Use Refresh if accounts don’t appear in Active Directory OU’s 


Open Command Prompt (Run As Administrator) Change Directories to Batch 


Once Batch file successfully runs open Active Directory Users and Computers 
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LOGON SCRIPTS — BATCH FILE METHOD 


By default Windows does not know what shares users need access to or what drive 
letters they need to be mapped to. By creating a simple batch file logon script, this can 
be accomplished easily. All logon scripts should be saved in the 
\\DOMAINNAME\NETLOGON folder. 


A batch file is nothing more than a series of DOS commands. The main command in a 
basic batch file logon script would be the NET USE command. For instance, if you have a 
server named DC1 and it has a share name of APPS, the following command would map 
this drive as N: for the user, when the logon script runs. 

NET USE N: \\DC1\APPS 

You can use the REM to remark out anything that you type after the REM. This is helpful 
for documenting what each command is doing in your logon script. REM Statements 


MUST be on their own line. They are shown on the same line in this example. 


A logon script would look similar to the following: 


*DO NOT ADD THE REM STATEMENTS* 


LOGON.BAT 


@ECHO OFF 

NET USE N: /D REM Disconnects mapped N drive 

NET USE O: /D REM Disconnects mapped O drive 

NET USE P: /D REM Disconnects mapped N drive 

NET USE N: \\DC1\Apps /Persistent:NO REM Map Apps share on server DC1 to N 

NET USE O: \\DC1\Faculty-Apps /Persistent:NO REM Map Faculty-Apps share on server DC1 to O 
NET USE P: \\DC1\Student-Apps /Persistent:NO REM Map Student-Apps share on server DC1 to P 


REM Copy All Icon Files in Shared Folder to Users’ Desktop — Overwrite any items that are duplicates. 


Xcopy “\\server\sharename\desktopicons\*.*” “%USERPROFILE%\DESKTOP” /C /E /S /Y 


REM Start BGInfo 
%USERDNSDOMAIN%\netlogon\bginfo.exe \\%USERDNSDOMAIN%\netlogon\bginfo-settings.bgi /timer:0 


/accepteula 
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REM Rename Mapped Drives in My Computer 
Wscript.exe \\%userdnsdomain%\netlogon\rename-mapped-drives.vbs 


:END 
EXIT 


VBScript to rename mapped network drives. Example: In My Computer from “Apps on 
‘DCT’ (O:)” to “Apps (0:)”. 


Before After 
~P apps on 'dc1' (N:) = Apps (N:} 
-~l 229 GB free of 249 GB 


Rename-Mapped-Drives.VBS 


f------ Script Start 
On Error Resume Next 


Dim UserName 


Set oShell = CreateObject("Shell.Application") 
Set objNetwork = CreateObject("WScript.NetWork") 


Username = objNetwork.UserName 
UserName = UCase(Left(UserName,1)) & LCase(Right(UserName,Len(UserName)-1)) 


mDrive ="M:" 
oShell.NameSpace(mDrive).Self.Name = Username & " - Home Directory" 


mDrive ="N:" 

oShell.NameSpace(mDrive).Self.Name = "Apps" 

mDrive ="0O:" 

oShell.NameSpace(mDrive).Self.Name = "Faculty Apps" 

mDrive = "P:" 

oShell.NameSpace(mDrive).Self.Name = "Student Apps" 

mDrive = "W:" 

oShell.NameSpace(mDrive).Self.Name = Username & " - Web Space" 
mDrive = "Y:" 

oShell.NameSpace(mDrive).Self.Name = "Student Home Directories" 
mDrive = "Z:" 


oShell.NameSpace(mDrive).Self.Name = "Faculty Home Directories" 


f------ Script End 
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As you may notice, there is a section for Windows 9X Clients and a section for NT-based 
clients. NT-based clients include the Operating Systems Windows NT Workstation 4.0 
up to Windows XP, as well as Server 2003. 


We placed the following command at the beginning to check and see if what type of OS 
is on the workstation that the user is logging in with by using the OS variable built into 
NT based clients. 


IF “%0S%”=="Windows_NT” GOTO NTClients 


Some of the other variables that are available are %LOGONSERVER%, 
%COMPUTERNAME% and %USERNAME%. These commands can be placed in the login 
script and can also be run from a DOS prompt to check the validity of your syntax. 


**All login scripts need to be placed in the NETLOGON folder 
\\DomainName\NETLOGON. Anything placed in this folder is replicated to ALL domain 
controllers. 


IMPLEMENTING SHADOW COPIES 


CLIENT USAGE SCENARIOS 


Shadow copy usage scenarios for both client and IT administrators are relatively 
straightforward. Three common scenarios of data loss due to human error are: 


« Accidental file deletions. 
« Accidental overwrites of a file (for example, forgot to perform ‘Save as’). 
= File corruption. 


Shadow Copies of Shared Folders provides an end user-accessible tool that restores 
documents by accessing point-in-time shadow copies of documents and folders stored 
on network shares. Local volume recovery support of an end user’s computer, for 
example, is not supported. The network file share must have the Volume Shadow Copy 
service enabled on a Windows Server 2003-based computer. 


Shadow Copies of Shared Folders is transparent to end users when they store files on 
the network file server. Only when an end user needs to replace a lost or damaged file 
with a prior version will they activate the client user interface (UI) through Windows 
Explorer. Shadow Copies of Shared Folders also enables users to see network folder 
contents at specific points in time. 
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WHAT SHADOW COPIES OF SHARED FOLDERS CAN Do 


Shadow Copies of Shared Folders helps end users: 
« Recover files without assistance from the help desk 
= Recover files that were not saved using the “Saved as” command. 


= Recover files that were corrupted and not recovered with the file recovery 
capabilities of Windows XP Professional or Microsoft Office XP. 


Shadow Copies of Shared Folders creates a safety net for end users by providing an 
easily and readily available previous version of a file. In this way, Shadow Copies of 
Shared Folders helps end users to: 


= Manage their own files. 
= Fix mistakes without rebuilding the file or calling the help desk. 


« Save time and money for the business. 


IT USAGE SCENARIOS 


The most common scenario for recovering lost or corrupted files is a request by the end 
user to the IT help desk to find an archived version. Assuming that the organization has 
an archiving system in place, this request usually means a costly and time-intensive 
search of archived media, which in many instances is a tape back-up. 

This situation creates several problems: 


= Potential loss of business agility or revenue if the lost document is time- or 
context-sensitive. 


= Increased unproductive time for end user. 


= Increased cost to help desk and IT support services. 


Shadow Copies of Shared Folders enables end users to view the contents of shared 
folders as they existed at specific points in time, and recover those files by themselves. 
This eliminates administrators having to restore accidentally deleted or overwritten 
files. Implementing Shadow Copies of Shared Folders for routine file recovery scenarios 
can help to: 


= Reduce demand on busy administrators; for example, by reducing restore-from- 
tape requests. 


Reduce the cost of recovering single or multiple files. Table 1 below presents a summary 
of how end users, IT departments, and organizations can benefit by implementing 
Shadow Copies of Shared Folders. 
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Table 1: Benefits of Using Shadow Copies of Shared Folders 


Saves lost time by not having to rebuild file v y 


Saves critical data and information v v 


Avoids loss of revenue by retaining critical data 


How SHADOW Copy WORKS 


The shadow copy feature in Windows Server works by making a block-level copy of any 
changes that have occurred to files since the last shadow copy. Only the changes are 
copied, not the entire file. 


As a result, previous versions of files do not usually take up as much disk space as the 
current file, although the amount of disk space used for changes can vary, depending on 
the application that changed the file. 

For example, some applications rewrite the entire file when a change is made, but other 
applications add changes to the existing file. If the entire file is rewritten to disk, then 
the shadow copy contains the entire file. Therefore, consider the type of applications in 
your organization, as well as the frequency and number of updates, when you 
determine how much disk space to allocate for shadow copies. 


**Shadow copies DO NOT eliminate the need to perform regular backups, nor do 
shadow copies provide protection from media failure. In addition, shadow copies are 
not permanent. As new shadow copies are taken, old shadow copies are purged when 
the size of all shadow copies reaches a configurable maximum, or when the number of 
shadow copies reaches 64, whichever is sooner. Therefore, shadow copies might not 
be present for as long as end users expect them to be. End user needs and 
expectations should be considered when shadow copies are configure 


**Windows Vista and later have the Shadow copy client installed by default 
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IMPLEMENTING SHADOW COPIES 


1. On the server go to File manager and then select Computer. 


2. Right-click on the volume that you would like to enable Shadow Copies and 


then click Properties. 


3. Click on the Shadow Copies tab. 


4. Select the volume(s) from the list shadow copies needs to be enabled on and 


then click Enable. 


5. On the Enable Shadow Copies dialog box that pops up check Do not show 


this message again and click Yes. 


6. Click on the volume that you enabled Shadow Copies for then click the 


Settings button. 


General Tools Hardware I Sharing 


Security 


Previous Versions 


I 


Quota 


Shadow Copies, click here. 
Select a volume: 


Shadow copies allow users to view the contents of shared folders 
as the contents existed at previous points in time. For information on 


Volume Net Run Time Shares 
Es N7\Vol... Disabled o 
ECN 5/8/2013 7:0... 


Shadow copies of selected volume 


5/7/2013 3:15 PM 
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Shadow Copies Previous Versions L Quota 


Shadow copies alow users to view the contents of shared folders 
as the contents existed at previous points in time. For infomation on 
Shadow Copies, click here. 


Select a volume: 
Volume Net Run Time Shares 
GS NFVol... Disabled o 
S=cx 5/8/2013 7-0... =. 


Shadow copies of selected volume 
5/7/2013 3:15 PM 


7. Click the Schedule button. 


8. By default, the only two options for a snapshot are every day at 7AM and 
12PM, Mon - Friday. Adjust this schedule to meet the district’s needs or 
create a new schedule per requirement. 


1. At 7:00 AM every Mon, Tue. Wed. Thu. Fr of every week. starting 5. v 
5/77: 


1. At 7:00 AM every Mon. Tue. Wed. Thu. Fri of every week. startin« 


7| Show multiple schedules 


9. Click OK twice to return to the Shadow Copies Settings window. 


10. Click OK to return to Computer. 
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IMPLEMENTING VOLUME BASED QUOTA LIMITS 


VOLUME LEVEL QUOTA LIMITS USING PROPERTIES 


**Quota limits are based off of volumes. Quota limits are, when applied, are for all 
users that save data on the volume. It is recommended that volumes containing 
Faculty and Student home folders be on separate volumes. This will allow different 
quota limits on volumes. 


1. | On the server go to File manager and then select Computer. 


2. Right click on the volume that Quota limits need to be enabled and then 
select Properties and click on the Quota tab. 


3. Check the box next to Enable Quota Management. 


| General I Tools I] Hardware I Sharing _ = ii | 
| Shadow Copies I Previous Versions | | Quota | 


-2 Status: Disk quotas are disabled 


Enable quota management 
«| Deny disk space to users exceeding quota limit 


Select the default quota limit for new users on this volume: 


© Do not limit disk usage 


eee] | “| [ss 


Set waming level to | 950] [ MB 


Select the quota logging options for this volume: 


Log event when a user exceeds their quota limit 


Log event when a user exceeds their waming level 


**]t is recommended to enable Deny Disk Space to Users Exceeding Quota Limit. 
4. Select the radio button next to Limit disk space to. Set the limit and warning 
level to meet district’s needs. You can set the log options to meet your 
needs. 


5. Click Apply and OK. 


To view user’s current disk utilization, click on the Quota Entries button from within the 
window. 
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DIRECTORY LEVEL QUOTA LIMITS USING FILE SERVER RESOURCE MANAGER 
INSTALL FILE SERVER RESOURCE MANAGER 
1. Launch Server Manager. 


2. Click Manage and then select Add Roles and Features. 


| Add Roles and Features ~ 


Pa | Remove Roles and Features ~ | 
| 


Add Servers 


eee Create Server Group 


oll 
Not configy Server Manager Properties 
Never 


Off 

ent Program Not participating 

ion On 
(UTC-O8:00) Pacific Time (US & Canada) 
00183-90000-0000 1-AA422 (activated) 


3. On the Before You Begin screen, click Next. 


4. On the Select Installation type screen, select Role-based or Feature-based 
installation and click Next. 


5. On the Select Destination server screen, click Next. 


6. On the Select Server roles page expand File and Storage Services to view the 
options below. 


7. Expand File and iSCSI Services, select File Server Resource Manager. 


8. Inthe Add Roles and Features dialog box hat pops up, click Add Features and 
then click Next. 


9. Click Next for rest of the screens, and then click Install. 
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=en Sue wee 


4 x| File d Storage Se ces stalled 
a File and iSCSI Services (Installed 


A A File Serve sled 


BranchCache for Network Files 


Data Deduplication 


DFS Namespaces 


DFS Replication 


File Server VSS Agent Service 
iSCSI Target Server 


10. When the installation is finished, click Close and restart the server. 
CONFIGURE QUOTA TEMPLATES 
11. Now that File Server Resource Manager role is installed, it will be configure by 


clicking on Tools and selecting File Server Resource Manager from the drop 
down list. 


Pa. Manag= 
Actes Directory Administratiwe Center 

Actie Directory Domains and Trusts 

Actie Directory MIodule for Windows PowerShell 
Actie Directory Sites and Services 

Actiwe Director, Users and Computers 

ADSI Edt 

Tomponent Semices 


Computer Mianaqement 


Defragment and Optimize Drives 
DHCP 


File Serer Resource Mlanager 
Group Polbhcy Management 
| MSCS) Imtiator 


| Local Security Policy 


12. Expand Quota Management in the left-hand pane and click on Quota 
Templates. 


13. Under the Actions pane (far right) click Create Quota Template. 


14. Enter a template name, such as Faculty Home Directory Limits or Student Home 
Directory Limits. 


15. Enter the limit size and select either Hard quota or Soft quota. 


16. Email notifications to either the user or network administrative staff can be 
enabled by clicking on the Add button in the Notification threshold section. 


17. Click OK to save the Quota Template. 
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APPLY QUOTA TEMPLATE TO DIRECTORY 


18. 


19. 


20. 


21. 


22. 


Under the Quota Management section of the left pane, click on Quotas. 
Right-click Quotas and select Create Quota. 


Click the Browse button to select the directory that you wish to apply the quota 
limit to. 


Select the following quota type: 


Create quota on path -— This will apply the space limitation to ALL files and 
folders within the parent directory. 


**This option should be used for folders such as Yearbook Staff or Multimedia 
class where multiple users save to the same folder. 


Auto apply template and create quotas on existing and new subfolders — This 
will apply the template to the subfolders within the parent folder. 


**This option should be used for applying limits on home directory folders and 
is automatically applied to any new folders created. This method would allow 
you to have your Faculty-Homes and Student-Homes parent folders both on 
their own volume or you can also place them on the Data volume with the rest 
of your network shares. 


Select the Quota Template to be used from the drop-down menu under Derive 
properties from this quota template and click Create. 


@ Derive properties from this quota template (ecommended)- 
Faculty Home Directory Limits ~ 


Summary of quota properties: 
=-- Anto Apply Quota: C:-\Faculty-Homes 
Source template: Faculty Home Directory Limits 
Limit: 1.00 GB (Hard) 
Notification: 1 
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FINE-GRAINED PASSWORD POLicies (ACT-723) 


One of the nice features introduced in Windows Server 2019 AD DS is the ability to 
configure fine grained password policies through GUI. 


Fine grained password policies allow Network Administrators to configure multiple 
password policies within a single domain which can be used to apply different 
restrictions for password and account lockout policies to different sets of users and 


groups. 


Precedence | 1 1 
Minimum Password Length | 8 8 
Minimum Password Age 1 1 


To configure fine-grained password policies as per the table above (ACT723 - K12 State 
Security Policies), use the following steps: 


1. Launch Server Manager. 


2. Click on Tools and select Active Directory Administrative Center (ADAC) from 
the drop down list. 


Active Directory Administrative Center 


Active Directory Domains and Trusts 
Active Directory Module for Windows PowerShell 
Active Directory Sites and Services 


File and Storage Active Directory Users and Computers 
Services ADSI Edit 
Manageability Component Services 
Bicis Computer Management 
F Dè Defragment and Optimize Drives 
Services DNS 
Performance Event Viewer 
BPA results Group Policy Management 


iSCSI Initiator 
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3. When ADAC opens, change the view from List view to Tree View 


B: Active Directory Adminis... < 


i= T=] WELCOME TO AC 
BY tree vie 


> i school (local) 
> BE Dynamic Access Control 
LP Global Search 


LEARN MORE 


4. Expand the Domain name and navigate to System and then Password Settings 


Container. 

© * «school (local) » System ° Manage Help 

B Active Directory Adminis... < System (25) Tasks 

E E Filter 2 ©” A” Q | 

i i Password Settings Container a 
H Overview = z 
= i » 
igh school (local) Name Type Description New 
P > BE Builin ÈE Default Domain Policy Domain Po... aj Delete 
> È Computers È Dis-Configuration dfsConfigu... Search under this node 
> Bil Custom Security Groups È DFSR-Globalsettings msDFSR-Gl.. Properties 
> B Domain Controllers È DomainUpdates Container System a 
> Bill Domain Member Servers ÈE File Replication Service FRS Settings New 
> BE faculty ÈE FileLinks fileLinkTrac... Delete 
> È ForeignSecurityPrincipals Èm iP Security Container r Smink 
> fill LostAndFound 
Ml LostAndFou È Meetings Container Properties 
P ll Managed Service Accounts ŠM MicrosoftDNS Container 
> [MB NTDS Quotas P 
P Mil Program Data Policies Container 
> Bl Students am Psp: mslmaging... 
MM RAS and IAS Servers Acces... Container x 
A > [MM TPM Devices Password Settings Container d 

> Mi Users Object class: msDS-PasswordSettingsContainer Modified: 5/5/2013 7:24 PM 
> BiB Workstations Description: 

> Bll Dynamic Access Control 
P Global Search 

Summary 
WINDOWS POWERSHELL HISTORY a 
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5. Right-click on Password Settings Container, select New and then Password 
Settings. 


6. Specify the password policy settings for each of the required policies referenced 
in table. 


Create Password Settings: Faculty Password Policy SECTIONS _¥ 


Password Settings | Password Settings 


Directly Applies To 5 F 
Name: IK Faculty Password Policy Password age options: 


Precedence: %1 v| Enforce minimum password age 


Ee e User cannot change the password withi... 3 


Minimum password length (characters): 8 8 v] Enforce maximum password age 
User must change the password after (... 


Enforce password history 
Number of passwords remembered: * |5 Enforce account lockout policy: 
Number of failed logon attempts allowed: K 


Password must meet complexity requirements 


Reset failed logon attempts count after (m... 2 


Store password using reversible encryption 


Account will be locked out 
©) Fora 


V] Protect from accidental deletion 


Description: 


irectly Applies To 


Name 


(A) More Information 


7. After the attributes for the password policy has been filled in, click Add to link 
created policy to the required security group and click on OK twice. 


-0 x 
Create Password Settings: Faculty Password Policy Tasks v | [SECTIONS _v 
Password Settings Password Settings DQ La 
Directly Applies To 
Name: IK Faculty Password Policy Password age options: 
Precedence: * |1 V] Enforce minimum password age 


User cannot change the password withi... $ 1 


v] Enforce minimum password length 
Minimum password length (characters): 6 8 v] Enforce maximum password age 
User must change the password after (... * 90 


V] Enforce password history 
Number of passwords remembered: * |5 Enforce account lockout policy: 
Number of failed logon attempts allowed: 


[V] Password must meet complexity requirements 


Reset failed logon attempts count after (m... $ 30 


‘count will be locked out 

© For a duration of (mins * (30 
Select this object Until an administrator manually unlocks the account 
Users or Groups| 
From this location: 
school local 


Enter the object names to select (examples): Wa 


=a 


~~ r a 


A) More Information OK Cancel 


**Repeat steps 5 — 7 for Students password policy 
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SOME COMMON K12 Group POLICIES 


RETAIN SECURITY EVENT LOG FoR 90 Days GRouP POLICY 
1. Launch Server Manager. 


2. Click on Tools and select Group Policy Management from the drop-down list. 


Active Directory Administrative Center 
Active Directory Domains and Trusts 
Active Directory Module for Windows PowerShell 
Active Directory Sites and Services 


File and Storage Active Directory Users and Computers 
Services ADSI Edit 
Manageability Component Services 
Banis Computer Management 

Dè Defragment and Optimize Drives 
Services DNS 
Performance Event Viewer 


BPA results Group Policy Management 


iSCSI Initiator _— 


3. Expand Forest: yourdomain.local. 


4. Expand Domains and then expand yourdomain.local and navigate to Default 
Domain Policy. 


5. Right-click the Default Domain Policy and click Edit. 


G 
liṣį File Action View Window Help 


@ =| [z=] A 


3 Group Policy Management Group Policy Managemer 
Contents 
| Name is 
AS Forest: school local 
P E Domain Controllers Enforced 


> 

> 

> sate Member Serv Saale aie 

a oe Save Report... 

bp E] Students 

b Workstations New Window from Here 


b LẸ Group Policy Objects 


EŞ WMI Filt oa 

> ilters 

> ire: | Starter GPOs Rename 

> (ig Sites Refresh 
sas? Group Policy Modeling Help 


<) Group Poli Results 
a ili 
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6. Expand Computer Configuration > Policies > Windows Settings > Security 
Settings and select Event Log. 


7. Set the policy setting Retain Security Log to 90 days. You will automatically 
prompted to change the Retention method to days. Click OK. 


8. Set the Maximum Security Log Size to 131072 kilobytes (128MB). 


File Action View Help 
e| 2m] XE 6| E% 


4 (© Computer Configuration Policy Setting 
4 Ñ Policies Maximum application log size Not Defined 
> (5) Software Settings Maximum security log size 131072 kilobytes 
4 [ Windows Settings Maximum system log size Not Defined 
b (5) Name Resolution Policy 
(=) Scripts (Startup/Shutdowr 
4 B Security Settings = 
id. - Aara Pobos | (2) Retain application log Not Defined 
b i Local Policies z F 
= Retain security log 90 days 
ia Evert Log | Ei Retai | Not Defined be 
AT D A Restricted Groups ain system log ; o ines 
. Retention method for application log Not Defined 
p EÀ System Services 
p DÀ Registry Retention method for security log By days 
p DÀ File System Retention method for system log Not Defined KS 
p T Wired Network (IEEE 8 
p D Windows Firewall with 
(5) Network List Manager 
> Ea Wireless Network (IEEE 
e Es 


Prevent local guests group from accessing application log Not Defined 
Prevent local guests group from accessing security log Not Defined 
Us| Prevent local guests group from accessing system log Not Defined 


AUTO-BACKUP AND CLEAR EVENT LOGS (AT LEAST WINDOWS VISTA) 


9. Expand Computer Configuration > Policies > Administrative Templates > 
Windows Components > Event Log Service and select Security. 


10. Enable the Backup log automatically when full setting. 


11. Close the Group Policy Management Editor. 
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SECURITY EVENT AUDITING — SECURITY EVENT LOG CONTENTS 


1. Launch Server Manager. 
2. Click on Tools and select Group Policy Management from the drop down list. 
3. Expand Forest: yourdomain. local. 


4. Expand Domains and then expand yourdomain.local and navigate to Default 
Domain Policy. 


5. Right-click the Default Domain Policy and click Edit. 


6. | Expand Computer Configuration > Policies > Windows Settings > Security 
Settings > Local Policies and select Audit Policy. 


7. Enable auditing for the following Policy Settings: 


Audit Account Logon Events — (Success AND Failure) 
Audit Account Management — (Success) 

Audit logon event — (Success AND Failure) 

Audit policy change — (Success) 


anov 


File Action View Help 
¢9| 2m] XSS8\ am 


4 (© Computer Configuration Polic 2 Policy Setting 
4 (5) Policies Audit account logon events Success, Failure 
> E Software Settings Audit account management Success 


4 (| Windows Settings Audit directory service access Not Defined 
p (2) Name Resolution Policy 


: Audit logon events Success, Failure 
=} Scripts (Startup/Shutdown) Audit object access Not Defined 


4 E Security Settings Audit policy change Success 


b zr — riage Audit privilege use Not Defined 


4 


— = || E Audit process tracking Not Defined 
J Audit Poli 
ee - Ż == R Not Defined 


” Audit system events 
p g User Rights Assignment n zz 


b Gi Security Options 
p fE] Event Log 
p (@ Restricted Groups 
p [À System Services 
> (a Registry 
p DĄ File System 
> Ea Wired Network (IEEE 802.3) 
p (5) Windows Firewall with Adve 
Network List Manager Polic 
p Ea Wireless Network (IEEE 802. 
p (5) Public Key Policies 
` Software Restriction Policie: 


b Network Access Protection Y 
> 


8. Close the Group Policy Management Editor. 
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GROUP POLICY FOR LOGON BANNER 


1. Launch Server Manager. 
2. Click on Tools and select Group Policy Management from the drop down list. 
3. Expand Forest: yourdomain.local. 


4. Expand Domains and then expand yourdomain.local and navigate to Default 
Domain Policy. 


5. Right-click the Default Domain Policy and click Edit. 


6. | Expand Computer Configuration > Policies > Windows Settings > Security 
Settings > Local Policies and select Security Options. 


7. Navigate to the following options and Enable them: 


a. Interactive logon: Message text for users attempting to log on. 
b. Interactive logon: Message title for users attempting to log on. 


File Action View Help 
e| ale] X | Bm 


4 (© Computer Configuration Policy 


Policy Setting 
4 Policies Interactive logon: Do not display last user name Not Defined 
> E] Software Settings | Interactive logon: Do not require CTRL+ALT+DEL Not Defined 
4 (5) Windows Settings Interactive logon: Machine account lockout threshold Not Defined 
> E] Name Resolution Policy Interactive logon: Machine inactivity limit Not Defined 


5l Scripts Eiaeai Interactive logon: Message text for users attempting to logon Not Defined 
ù Seca neag: i Interactive seed seas title for users attempting to log on Not Defined 
b J Account Policies = 2 


4 @ Local Policies 
> Gj Audit a 


~ 


| Interactive iit Prompt user to change password hanee, e.. Not Defined 
ii) Interactive logon: Require Domain Controller authentication... Not Defined 

| Interactive logon: Require smart card Not Defined 
by) Interactive logon: Smart card removal behavior Not Defined 
> ta Restricted Groups bo) Microsoft network client: Digitally sign communications (al... Not Defined 
p (li System Services «| Microsoft network client: Digitally sign communications (if .. Not Defined 
> DA Registry Microsoft network client: Send unencrypted password to thi... Not Defined 
> DÀ File System «| Microsoft network server: Amount of idle time required bef... Not Defined 
> E Wired Network (IEEE 802.3) Microsoft network server: Attempt S4U2Self to obtain claim... Not Defined 
p D Windows Firewall with Advz i] Microsoft network server: Digitally sign communications (al... Not Defined 

E Network List Manager Polic Microsoft network server: Digitally sign communications (if ... Not Defined 
> ai! Wireless Network (IEEE 802, 1) Microsoft network server: Disconnect clients when logon ho... Not Defined 
> E Public Key Policies Microsoft network server: Server SPN target name validation... Not Defined 
> E Software Restriction Policie: Network access: Allow anonymous SID/Name translation Disabled 


p [5] Network Access Protection Y Nehwark accece: De not allow ananumauc enumeration of Sot Dafinad 
m > m 


8. Close the Group Policy Management Editor. 
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LOCKING SCREEN SAVER GROUP POLICY 


Launch Server Manager. 


Click on Tools and select Group Policy Management from the drop down list. 


Expand Forest: yourdomain.local. 


Expand Domains and then expand yourdomain.local and navigate to Default 


Domain Policy. 


Right-click the Default Domain Policy and click Edit. 


Expand User Configuration > Policies > Administrative Templates > Control 
Panel and select Personalization. 


Set the Enable Screen Saver policy to Enabled. 


Set the Password Protect the Screen Saver policy to Enabled. 


Set the Screen Saver timeout to Enabled and to a recommended time of 900 


seconds (15 minutes). 


File Action View Help 


e| ale] B| B a| 7 


LE} Default Domain Policy [WIN-DC1.SCHOOL.LC ^ 
p @& Computer Configuration 
4 {& User Configuration 
4 Policies 

p (5) Software Settings 

p (5) Windows Settings 

4 [Ñ Administrative Templates: Policy d 

4 [Ñ Control Panel 
E Add or Remove Programs 


4 Displa 
aw “| Printers 


E Programs 

p ©) Regional and Language Opt 
p 1) Desktop 
p E Network 

E Shared Folders 
p (©) Start Menu and Taskbar 
p ©) System 
p 15) Windows Components 

te <3 All Settings 


nD Preferences 


< m \\ Extended À Standard } 


Setting 

[| Prevent changing color scheme 

(| Prevent changing theme 

+=] Prevent changing visual style for windows and buttons 


liż] Enable screen saver Enabled 


|| Prohibit selection of visual style font size 
lE] Prevent changing color and appearance 
[| Prevent changing desktop background 
| Prevent changing desktop icons 
[| Prevent changing mouse pointers 
| Prevent changing screen saver 
i= Prevent changing sounds 
(| Password protect the screen saver 
FI Screen saver timeout 
rce specific screen saver 
[| Load a specific theme 
[| Force a specific visual style file or force Windows Classic 


16 setting(s) 


10. Close the Group Policy Management Editor. 


State 
Not configured 
Not configured 
Not configured 


Not configured 
Not configured 
Not configured 
Not configured 
Not configured 
Not configured 
Not configured 
Enable 
Enabled 
Not configured 
Not configured 
Not configured 
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FOLDER REDIRECTION GROUP POLICY 


10. 


Launch Server Manager. 
Click on Tools and select Group Policy Management from the drop down list. 
Expand Forest: yourdomain.local. 


Expand Domains and then expand yourdomain.local and navigate to Group 
Policy Objects. 


Right-click on the Group Policy Objects and then select New. 
Name the new group policy Folder Redirection Policy and click OK. 


Expand Group Policy Objects. Right-click on the newly created Folder 
Redirection Policy and click Edit to open the Group Policy Editor. 


Expand User Configuration > Policies > Windows Settings and select Folder 
Redirection. 


Right click on Documents and click Properties. 
Change the setting to Basic — Redirect everyone’s folder to the same 


location and set the Target folder location to Redirect to the user’s home 
directory. 


Target | Settings | 


<a 


EA You can specify the location of the Documents folder. 


Setting: | Basic - Redirect evenyone’s folder to the same location ~ | 


This folder will be redirected to the specified location. me 


Redirect to the user's home directory 


A 


Note: This setting ignores the value of the Grant the user exclusive 
rights to Documents” option on the Settings page. 


Arkansas Department of Information Systems — APSCN LAN Support 
Printed on 5/16/2022 


74|Page 


11. Click the Settings tab and check the box Also apply redirection policy to 
Windows 2000, Windows 2000 Server... 


Target | Settings 


ea Select the redirection settings for Documents. 


V Grant the user exclusive rights to Documents. 
IV Move the contents of Documents to the new location. 


( Leave the folder in the new location when policy is removed. 


© Redirect the folder back to the local userprofile location when 
Policy is removed. 


12. Click Apply and if prompted to also redirect Pictures, Music, etc. to the Home 
Directory, click Yes. Click OK. 


13. Close the Group Policy Management Editor. 


Arkansas Department of Information Systems — APSCN LAN Support 
Printed on 5/16/2022 


75|Page 


RESTRICT COMPUTERS TO FACULTY USE ONLY 


This policy can be used to restrict access for students to log on to faculty machines. This 
policy will be based off of the Faculty User group and can be adjusted to meet the group 
of users that meets your needs. 


1. Launch Server Manager. 


2. Click on Tools and select Active Directory Users and Computers from the 
drop down list. 


3. Create a security group called Faculty Use Only Computers under Custom 
Security Groups Organization Unit (OU). 


4. Under Server Manager, click on Tools and select Group Policy Management 
from the drop down list. 


5. Expand Forest: yourdomain.local. 


6. Expand Domains and then expand yourdomain.local and navigate to Group 
Policy Objects. 


7. Right-click on the Group Policy Objects and then select New. 
8. Name the new group policy Faculty Use Only Computers and click OK. 


9. Expand Group Policy Objects and select the newly created Faculty Use Only 
Computers policy. 


10. In the right-hand pane, click on the Scope tab. Under Security Filtering list, 
select Authenticated Users and then click the Remove button. 


11. Click the Add button, enter the group name Faculty Use Only Computers and 
then click the OK. 


12. Right-click on the newly created Faculty Use Only Computers policy and 
select Edit. 
13. Expand Computer Configuration > Policies > Windows Settings > Security 


Settings > Local Policies and select User Rights Assignment. 


14. In the right-hand window, double-click on Allow log on locally. 
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15. Check the box for Define these policy settings. 


16. Click the Add User or Group button and add Domain Admins, 
Administrators, and Faculty to the list. Click Apply and OK. 


File Action View Help 


e| 2m] XE B| E m 


a ( Computer Configuration 
4) Policies 
b (5) Software Settings 
4 [ Windows Settings 
b D] Name Resolution Policy 
[E] Scripts (Startup/Shutdown) 
4 B Security Settings 
b 3 Account Policies 
4 qj Local Policies 


b gj User Rights Assignment 


Pa b @ Event Log 


p EÀ Restricted Groups 

p DÀ System Services 

p (ig Registry 

p [À File System 

b g Wired Network (IEEE 802.3) Pol 
p D] Windows Firewall with Advanc 


E Network List Manager Policies | 


b da Wireless Network (IEEE 802.11) 


b A] Public Kev Policies 
m > 


a 


Policy 
Access Credential Manager as a trusted caller 
Access this computer from the network 

| Act as part of the operating system 
Add workstations to domain 


Back up files and directories 
Bypass traverse checking 
Change the system time 
Change the time zone 
Create a pagefile 
Create a token object 
Create global objects 
Create permanent shared objects 
Create symbolic links 

| Debug programs 
Deny access to this computer from the network 
Deny log on as a batch job 
Deny log on as a service 
oe ee oe 


Policy Setting 
Not Defined 
Not Defined 
Not Defined 
Not Defined 


Not Defined 
Not Defined 
Not Defined 
Not Defined 
Not Defined 
Not Defined 
Not Defined 
Not Defined 
Not Defined 
Not Defined 
Not Defined 
Not Defined 
Not Defined 
Not Defined 


tea ies 


17. Close the Group Policy Management Editor and link the policy to Faculty 


Workstations OU. 


**Once this policy is created and applied, add computers to the Faculty Use 
Only Computers security group to apply the policy. A reboot is required 


after the computer is added to and removed from the group to 


enforce/remove the policy. 


REFRESH GROUP POLICY SETTINGS WITH GPUPDATE.EXE 


Syntax 


Gpupdate [/target:{computer | user}] [/force] [/wait:va/ue] [/logoff] [/boot] 


Parameters 
/target:{computer | user} 
Processes only the computer settings or the current user settings. By default, 


/force 


both the computer settings and the user settings are processed. 


Ignores all processing optimizations and reapplies all settings. The Group Policy 
engine on the client tracks versions of the GPOs that are applied to the user and 
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computer. By default, if none of the GPO versions change and the list of GPOs 
remains the same, the Group Policy engine will not reprocess policy. This option 
overrides this optimization and forces the Group Policy engine to reprocess all 
policy information. 

/wait:value 
Number of seconds that policy processing waits to finish. The default is 600 
seconds. 0 means "no wait"; -1 means "wait indefinitely." 

/logoff 
Logs off after the refresh has completed. This is required for those Group Policy 
client-side extensions that do not process on a background refresh cycle but that 
do process when the user logs on, such as user Software Installation and Folder 
Redirection. This option has no effect if there are no extensions called that 
require the user to log off. 

/boot 
Restarts the computer after the refresh has completed. This is required for those 
Group Policy client-side extensions that do not process on a background refresh 
cycle but that do process when the computer starts up, such as computer 
Software Installation. This option has no effect if there are no extensions called 
that require the computer to be restarted. 


nP 
Displays help at the command prompt. 
Examples 
The following examples show how you can use the gpupdate command: 
° gpupdate 
° gpupdate /target:computer 
° gpupdate /force /wait:100 
° gpupdate /boot 


UPDATE GROUP POLICY SETTINGS FROM GROUP POLICY MANAGEMENT CONSOLE 


A new feature introduced with Windows Server 2019 is that from within the Group 
Policy Management Console. The update process also notifies how many computer 
objects will be affected by the update operation. 


This can be accomplished by Right-clicking an Active Directory Organization Unit (OU) 
select Group Policy Update. 
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13} Group Policy Management Group Policy Objects in school.local 


4 A Forest: school.local Contents | Delegation 
4 [Ñ Domains = 


4 4 school.local Name z GPO Statu: 
| Default Domain Policy | Sf Default Domain Controllers Policy Enabled 
= we 5 
b E] Custom Security Groups i Default Domain Policy Enabled 
> [E] Domain Controllare | Sf Folder Redirection Policy Enabled 
b E] Domain Memb Create a GPO in this domain, and Link it here... led 
b Æ Faculty Link an Existing GPO... 


b E Students 
b E Workstations 
p [È Group Policy Q 


> Op WMI Filters Group Policy Modeling Wizard... You have chosen to force a Group Policy update on all computers within Domain 
b fe] Starter GPOs New Organizational Unit Controllers and all subcontainers. If you choose 'Yes' below, User and Computer 


E policy settings will be updated on; 
> (OB Sites 


SE Group Policy Modelini 
EÈ Group Policy Results Delete 


Block Inheritance 


Group Policy Update... | 


New Window from Here 
1 Computer 


Refresh 4re you sure you want to update policy for these computers? 


Properties 


Group Policy update will be forced on all computers within Domain Controllers and all subcontainers 
within the next 10 minutes. Both user and computer policy settings will be refreshed. 


Completed (1 of 1) 


Computer Name Error Code Error Description 
Succeeded (1) 
WIN-DC1.school. local 


How To CHECK GROUP POLICY SETTINGS ON A DOMAIN COMPUTER (GUI) 


1. Open the Resultant Set of Policy utility by moving your mouse over the bottom- 
left Windows Key & or click Keyboard Key 4¥ and type rsop.msc and press Enter 


Resultant Set of Policy is being processed... 


This Microsoft Management Console contains the RSoP snapin defined below. 


* \ Stating with Microsoft Windows Vista Service Pack 1 (SP1), the Resutant Set of Policies 
1 (RSoP) report does not show all Microsoft Group Policy settings. To see the ful set of 
Seachem oa Microsof Group Policy setings applied for a computer or user, use the commandiine tol d Bnn loigi 
a ae peak {tates Šte Cripta 


Please wait while t is processed. 


Selection Settings 

Mode Logging 

User name DESKTOP-ESFNGOV\Dodds 
Display user policy settings Yes 

Computer name DESKTOP-SSFNGOV 
Display computer policy settings Yes 


2. To check & verify applied group policy’s, expand Computer & User 
Configurations 
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How To CHECK GROUP POLICY SETTINGS ON A DOMAIN ComPUTER (CMD) 


To view all the policies applied to the user account you are currently logged in 
with, you would use the following command: 


1. Open Command Prompt CMD 
2. Type Command “GPRESULT /SCOPE USER /V” 
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TROUBLESHOOTING WINDOWS SERVER 2019 


DISABLING THE SHUTDOWN EVENT TRACKER 


To turn off the Shutdown Event Tracker, navigate to the following key in your registry: 
HKLM\SOFTWARE \Policies\Microsoft\Windows NT\Reliability 

**Creation of the Reliability is required 

Create a new DWORD with the following values: 


Value Name: ShutdownReasonOn 
Value: O (HEX) 


File Edit View Favorites Help 
4a- J} HKEY_LOCAL_MACHINE 
b- JÌ BCD00000000 
p- J) HARDWARE 
p- J) SAM 
J} SECURITY 
a- J} SOFTWARE 
p- ATI Technologies 
p- Classes 
p d Clients 
b B Microsoft 
p- J) ODBC 
4+) Policies 
a- )) Microsoft 
b- J) Cryptography 
pb |) SystemCertificates 
b WY) Windows 
a- J} Windows NT 
p-d Terminal Services 


| Windows File Protection 
RegisteredApplications 
b p”) ThinPrint 
t- VMware. Inc. VILE 
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Reliabity 


**The change will take place immediately no reboot is required. 
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SET TIME SOURCE TO DIS / NTP TIME SERVER 
e First, locate your PDC Server. Open command prompt on any server and type: 
netdom /query fsmo 
e Log into your PDC Server and open the command prompt. 
e Stop the W32Time service 
net stop w32time 
e Configure the external time sources, type: 
w32tm /config /syncfromflags:manual /manualpeerlist:”165.29.1.11,170.94.1.1” 
e Make your PDC a reliable time source for the clients. Type: 
w32tm /config /reliable:yes 
e Start the w32time service: 
net start w32time 


e The windows time service should begin synchronizing the time. You can check 
the external NTP servers in the time configuration by typing: 


w32tm /query /configuration 


**Check the Event Viewer for any errors. 


**DIS Time Servers - dsn1.state.ar.us, dns2.state.ar.us, dns3.state.ar.us 
**NTP Time Servers - time.windows.com, time.nist.gov, us.pool.ntp.org 
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ACTIVE DIRECTORY MAINTENANCE 


STEPS TO CHECK ACTIVE DIRECTORY REPLICATION IN WINDOWS SERVER (GUI) 


Check Active Directory objects replication between these two Domain Controller. 


E] Active Directory Users and Computers = 


File Action View Help 


e| 2m ¢O\XE GEIR Baers 


a Active Directory Users and Com|| Name Type DC Type Site Description 
E Saved Queries 


v ES school.local 
©) Builtin 


~ Computers 
“| ForeignSecurityPrincipal: 
E Managed Service Accoun 


E Users 


1. Launch Server Manager. 


2. Click on Tools and select Active Directory Sites and Services from the drop- 
down list. 


View Help 


Active Directory Administrative Center 
Active Directory Domains and Trusts 
Active Directory Module for Windows PowerShell 


File and Storage Active Directory Users and Computers 
Services ADSI Edit 
Manageability Component Services 
Events Computer Management 
i w: Defragment and Optimize Drives 
Services DNS 
Performance Event Viewer 
BPA results Group Policy Management 


iSCSI Initiator 


Active Directory sites and services is a primary console used to replicate the AD 
objects between the Domain Controllers. We can also manage the objects 
represent the sites and servers which reside in those sites. Site links are 
automatically created as and when we add any new Domain Controller in our 
environment. 


3. Expand and Left Click Sites, Default-First-Site-Name, Servers 
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ale Active Directory Sites and Services = 


File Action View Help 
@ | i! @ B/B ma 


AR Active Directory Sites and Servic|] Name Type Description 
v © Sites l Ü Sites 
E Inter-Site Transports 
E Subnets 
v f: Default-First-Site-Name 
v © Servers 


DC-A 


Sites Container 


4. To forcefully replicate AD, open Active Directory sites and services console, 
click on DC-B than right click on NTDS Settings. Under the NTDS Settings “Click 
on Replicate configuration from the selected DC“. Through this option, we pull 
the information from the selected DC (FYI, replication is of 2 types i.e. Pull and 
Push). 


AÑ Active Directory Sites and Services o x 
File Action View Help 
e| 2ml xE nelu m| a 


} Active Directory Sites and Services [|| Name From Server From Site Type Description 
@ Sites 


09 <automatically gener... DC-A Default-First-Si... Connection 
E Inter-Site Transports 
O Subnets 
~v |E Default-First-Site-Name 
v © Servers 
@ oc-a 
v @ oc-8 
BP NTDs Sett] 
pn M ere 
Find... 
All Tasks > 
View > 
Delete 
Refresh 
Export List... 
Properties 
Help 
< - ~ > 
Replicates configuration information from the selected DC to the current DC. 


5. It opens the confirmation dialogue box which tells that Active Directory 
Domain Services are replicated the connections. Click on OK. If you see any error 
or if Additional Domain Controller is recently promoted, then you need to wait 
for sometime (about 30 minutes if intra-site and about two to four hours if inter- 
site) before you try to do forceful AD replication. 
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matically gener C-A Default-First-Si. Connection 


4 B 
ce E Facicaie Now 


OK 


6. The preferred method to replicate AD as it’s only going to replicate Data 
between Domain Controllers that we select. It would not start replication 
between all the DCs which consumes most of the bandwidth and can create 
congestion in the environment. 


configuration from the selected DC 
configuration to the selected DC 


Replicates configuration information from the current DC to the selected DC 


STEPS TO CHECK ACTIVE DIRECTORY REPLICATION IN WINDOWS SERVER (CMD) REPADMIN 


1. Open Command Prompt CMD (run as administrator) 


2. The first command that we are run is “Repadmin /replsummary” to check the 
current replication health between the domain controllers. The “/replsummary” 
operation quickly and concisely summarizes replication state and relative health 
of a forest. 

** After running the command it shows some information which was in two 
parts -— Source DSA and Destination DSA. 


E Administrator: Command Prompt -— [m] 
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We can see that both servers are listed in both sections, the reason behind 
this is the Active Directory uses multi-master domain model. Active Directory 
can be updated from any writable Domain Controller except the Read-only 
Domain Controller. The RODC would only be listed in Destination DSA 
section. 


3. The second command is “Repadmin /Queue” shows the elements are 
remaining in the queue to replicate. It Displays inbound replication requests 
that the Domain Controller needs to issue to become consistent with its 
source replication partners. 


4. The Third command is “Repadmin /Showrepl displays the replication 
status when the specified domain controller last attempted to implement 
inbound replication of Active Directory partitions. It helps to figure out the 
replication topology and replication failure. 


Administrator: Command Prompt 
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5. The Fourth command is “Repadmin /syncall” it Synchronizes a specified 
domain controller with all replication partners. We recommend you not to 
run this command in the big environment because it forcefully replicates 
Active Directory objects between all the domain controller which leads to 
excessive load on the network and can result in network congestion. 


EJ Administrator: Command Prompt 


6. Repadmin /KCC this command forces the KCC (Knowledge Consistency 
Checker) on targeted domain controller(s) to immediately recalculate its 
inbound replication topology. It checks and creates the connections between 
the Domain Controllers. By default KCC runs in the background every 15 
minutes to check if new connection is established between DCs or not. 


**By running the command we are forcing DCs to check if new Domain 
Controller is found in the environment and if yes then add connection to 


the same. 


Administrator: Command Prompt 
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7. Repadmin /replicate starts the immediate replication of the specified 
directory partition to the destination domain controller from the source DC. 


BA Administrator: Command Prompt 


imm e 
the destination 


eplic 
wut waiti 


repadmin 


ALL chang 


/addref er 


/readonly is t V I sti ho 
rtition 


[EXAMPLES] 


NC from 


**The replication tools listed above are used to check AD replication and to 
Replicate AD using GUI mode and from command prompt. 
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TESTING / DIAGNOSE THE HEALTH OF AcTIVE DIRECTORY DOMAIN CONTROLLERS, DNS SERVERS, AD 
REPLICATION, AND OTHER ADDS INFRASTRUCTURE SERVICES (CMD) 


1. From the Domain Controller, open a command prompt 
2. Run Command 
dcdiag 


E Select Administrator: Command Prompt — Qo x | 


Ron n tests on Fo es 


** It is recommended to run the Dcdiag test on the domain controller itself, 
and not remotely 


[< 


**The Dcdiag utility can perform up to 30 different tests related to the AD 
domain infrastructure, DNS, FSMO roles, etc. 
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DELETE DEAD/TOMB-STONED DOMAIN CONTROLLER FROM ACTIVE DIRECTORY 


1. From another Domain Controller within the domain, open a command prompt 
and type ADSIEDIT.MSC 


2. In the ADSI Edit window, click Action > Connect To. 


3. Inthe Select a Well Known Naming Context drop-down menu, select 
Configuration, and click OK. 


[z a a _ i -o =l 


File Action View Help 
lesim 3 | @ m 


{ZZ ADSI Edit — Actions 
i Connection Settings x 


Name: | Configuration More Actions » 


y Acti] path: [LDAP://DC-A.school.local/Configuration 
d 


Mici Connection Point 


z O Select or type a Distinguished Name or Naming Context: 
o cf 


© Selecta known Naming Context: 


Configuration 


Computer 
O Select or type a domain or server: (Server | Domain [:port]) 


@ Default (Domain or server that you logged in to) 
(use SSL-based Encryption 


Avena = = 


REMOVING THE SERVER FROM THE ACTIVE DIRECTORY SITE 


4. Navigate to 
Configuration\CN=Configuration\CN=Sites\CN=<SiteName>\CN=Servers\CN=<Se 
rverName>, where <SiteName> and <ServerName> corresponds to the location 
of the dead domain controller. 


5. — Right-Click on CN=NTDS Settings and click Delete, when prompted to delete the 
container and everything in it, click Yes. 


vive 


6. Right-Click CN=Server Name that you are removing and click Delete. Click Yes to 
confirm the delete. 
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REMOVING THE SERVER FROM THE FILE REPLICATION SERVICE 
7. — Inthe ADSI Edit window, click on ADSI Edit in the left-hand pane. 
8. Click Action > Connect To. 


9. Inthe Select a Well Known Naming Context drop-down menu, select Default 
naming context, and click OK. 


10. Navigate to Configuration\CN=System\CN=File Replication Service\CN=Domain 
System Volume(SYSVOL share)\CN=<ServerName> where <ServerName> 
correstpond to the location of the dead domain controller. 

11. Right-click the CN=<ServerName>, and select Delete. 

12. Click Yes to delete the object. 


REMOVING THE SERVER FROM ACTIVE DIRECTORY SITES AND SERVICES 


13. Open Active Directory Sites and Services. 


Manage 


Active Directory Administrative Center 


Active Directory Domains and Trusts 
Active Directory Module for Windows PowerShell 
Active Directory Sites and Services 


File and Storage Scave Directory Omputers' 


Services ADSI Edit 
Manageability Component Services 
Events Computer Management 
i Ce Defragment and Optimize Drives 
Services DNS 
Performance Event Viewer 
BPA results Group Policy Management 


iSCSI Initiator 


14. Expand Sites. 

15. Expand the AD Site that the dead Domain Controller was a member of. 
16. Expand the dead Domain Controller. 

17. Right-click NTDS Settings and click Delete. 


18. When prompted, click Yes. 
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19. You will receive the Confirm Subtree Deletion box as shown below. Check the 
Use Delete Subtree server control option and click Yes. 


File Action View Help 
e |0| S| =m 


i Active Directory Sites and Servic 
v Sites 


a 
E Inter-Site Transports 


v |E Default-First-Site-Name 
v © Servers 


| Name Type Description 
| E Sites Sites Container 


Active Directory Domain Services 


Are you sure you want to delete the Domain Controller 
Settings named ‘NTDS Settings’? 


Ea] 


` 


20. Close Active Directory Sites and Services. 


REMOVING THE SERVER FROM ACTIVE DIRECTORY USERS AND COMPUTERS 


21. Open Active Directory Users & Computer. 


File and Storage 
Services 


Manageability 
Events 
Services 
Performance 


BPA results 


Active Directory Administrative Center 
Active Directory Domains and Trusts 


Active Directory Module for Windows PowerShell 


Active Directo: Sites and Services 
ADSI Edit 
Component Services 
Computer Management 
Dè Defragment and Optimize Drives 
DNS 
Event Viewer 
Group Policy Management 
iSCSI Initiator 


22. Browse to the Domain Controller Computer object, right-click and select Delete. 


23. | When prompted to confirm the deletion, select Yes. 


24. Another confirmation box will pop up. 


25. Check the box next to “This Domain Controller is permanent...” and click Delete. 
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26. 


h| File Action View Help 
j =" » = 4 = m _ 
e| aml ¢ OX EBH mlS a TYL 

| E Active Directory Users and Com|| Name Type DC Type Site Description 
E Saved Queries 


v i school.local 
E Builtin 


E Users Active Directory Domain Services 


A Are you sure you want to delete the Computer named ‘DC-A'? 


Close Active Directory Users & Computers 


**DNS may need to be verified to make sure that there are not any records tied to the 
server that was removed from the domain. 


MANUALLY SEIZE FSMO ROLES 


To seize the FSMO roles by using the Ntdsutil utility, follow these steps: 


Log on to a Windows Server-based member computer or Domain controller that 


is located in the forest where FSMO roles are being seized. 


**]t is recommend that you log on to the domain controller that you are assigning 
FSMO roles to. 


**The logged-on user should be a member of the Enterprise Administrators group to 


transfer schema or domain naming master roles, or a member of the Domain 


Administrators group of the domain where the PDC emulator, RID master and the 
Infrastructure master roles are being transferred. 


Open the Command Prompt utility by moving your mouse over the bottom-left 
Windows Key & or click Keyboard Key ã& and type cmd, run as a administrator 


and press Enter 
On the Command Prompt type ntdsutil , and then click ENTER. 


Type roles, and then press ENTER. 


Type connections, and then press ENTER. 
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e Type connect to server “servername”, and then press ENTER. 


**Servername is the name of the domain controller FSMO role is being transferred to. 


e Atthe server connections prompt, type q, and then press ENTER. 


e Type seize role, where role is the role that you want to seize. 


**For a list of roles that you can seize, type ? at the fsmo maintenance prompt, and 
then press ENTER, or see the list of roles at the end of this section. For example, to 
seize the RID master role, type seize rid master. The one exception is for the PDC 
emulator role, whose syntax is seize pdc, not seize pdc emulator. 

At the fsmo maintenance prompt, type q, and then press ENTER. 


Type q, and then press ENTER to quit the Ntdsutil utility. 
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How TO RESET THE DIRECTORY SERVICES RESTORE MODE ADMINISTRATOR ACCOUNT PASSWORD 


24. Click, Start, click Run, type ntdsutil, and then click OK. 
25. At the Ntdsutil command prompt, type set dsrm password. 
26. Atthe DSRM command prompt, type one of the following lines: 
a. To reset the password on the server on which you are working, type: 
reset password on server null 


**The null variable assumes that the DSRM password is being reset on the local 
computer. Type the new password when you are prompted. 


**No characters appear while you type the password. 
b. To reset the password for another server, type: 
reset password on server servername 


**where servername is the DNS name for the server on which you are resetting the 
DSRM password. 


c. Type the new password when you are prompted. 
27. Atthe DSRM command prompt, type q. 


28. Atthe Ntdsutil command prompt, type q to exit. 
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How To CREATE A BOOTABLE USB DRIVE FROM Iso To INSTALL WINDOWS SERVER 2019 (GUI) 


1. Purchase Windows Server Edition / Download .ISO & Activation Key 
For ESS Agreement logon onto - Microsoft Volume Licensing Service Center 


(VLSC) https://www.microsoft.com/Licensing/servicecenter/default.aspx 
2. Download & install software to a computer to burn ISO — Rufus, etc. 
3. Install at least 8Gb USB Drive / Blank Dual Layer DVD-R into computer 


4. Open Software & Configure Options and Click Start to copy ISO to USB / DVD 
e Configure Boot Selection — Choose the downloaded Windows Server 
2019 iso file 
e Configure Partition select Scheme GPT 
e Configure Target System select UEFI (non CSM) 
e File System — select NTFS 


SF Roro 2 1SBO 


Drive Properties 


Cluster size 
[4096 bytes (Default 


a7 Rufus 3.8.1580 


Drive Properties 


4096 bytes (Default 


Copying ISO files: 0.9%% 


Properties 


5. 
** Must Disable Secure Boot in Server Bios to Install Software 
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How To CREATE A BOOTABLE USB DRIVE FROM Iso To INSTALL WINDOWS SERVER 2019 (PS) 


1. Purchase Windows Server Edition / Download .ISO & Activation Key 
For ESS Agreement logon onto - Microsoft Volume Licensing Service Center 


(VLSC) https://www.microsoft.com/Licensing/servicecenter/default.aspx 


2. Download Windows Server 2019 ISO to a computer 


3. Install at least 8Gb USB Drive into computer 
**must follow steps 4 — 15 to prepare USB Drive for ISO 


4. Create a variable for the file location on computer (windows server 2019 iso) 
Sisopath = 'C:\Users\Public\Downloads\WindowsServer2019.iso' 


5. Open the Powershell utility by moving your mouse over the bottom-left 
Windows Key & or click Keyboard Key «% and type powershell, run as a 
administrator and press Enter 
** Before we can format the USB drive, we need to establish the disk number 
Windows has assigned it. Run the command below to list all the USB drives 
attached to your computer: 


6. Run Command 
Get-Disk | Where-Object BusType -eq USB | Format-Table -AutoSize 
** | know that my USB drive is called ‘Patriot Memory’, so it is disk number ‘2’. 
Let’s create an object (Susb) for disk ‘2’. You should replace -eq 2 with the 
number of your USB drive. 


7. Run Command 
Susb = Get-Disk | Where-Object Number -eq 2 
**Now, we’re going to delete all the data on the USB drive using Clear-Disk. Type 
Y and press ENTER to confirm you want to delete all data on the drive. This is a 
good time to double-check that you have the correct disk number! 


8. Run Command 
Susb | Clear-Disk -RemoveData 
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Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved. 


Try the new cross-platform PowerShell https://aka.ms/pscore6 


PS C:\WINDOWS\system32> 
PS C:\WINDOWS\system32> | BusType USB | 


Number Friendly Name Serial Number HealthStatus OperationalStatus Total Size Partition Style 


Patriot Memory 078A01B0098F Healthy Online 7.47 GB GPT 
asmedia ASM1153 F571000009009 Healthy No Media © B RAW 


PS C:\WINDOWS\system32> | 
PS C:\WINDOWS\system32> 


Confirm 
Are you sure you want to perform this action? 
This will erase all data on disk 2 " Patriot Memory". 
[A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): y 
PS C:\WINDOWS\system32> 


9. Format the USB drive 
Now let’s make sure the disk is configured with a GUID Partition Table so that we 
can use it to boot UEFI systems. 


10. Run Command 
Susb | Set-Disk -PartitionStyle GPT 
** Create a new volume on the drive using New-Partition. When prompted in 
the Format USB Drive dialog, format the volume using FAT32. You must use 
FAT32. Optionally, give the drive a volume name in the Volume label field. Click 
Start to format the USB drive. Click OK in the warning dialog to confirm that 
formatting the drive will erase all data. 


11. Run Command 
Svolume = Susb | New-Partition -UseMaximumSize -AssignDriveLetter 
** Close the Format USB Drive dialog once formatting is complete. 


12. Copy the Windows Server 2019 media files to the USB drive 
**Now that we have configured the USB drive so that it can be used to boot our 
server hardware, all that’s left to do is copy the Windows Server media files to 
the USB drive. Let’s start by mounting the downloaded Windows Server .iso file 
to a drive in Windows 


13. Run Command 
Smount = Mount-DiskImage -ImagePath Sisopath -StorageType ISO 
**Windows will assign the new mounted drive a letter. We can use Get-Volume 
to get the assigned drive letter: 


14. Run Command 
Sdrive = (Smount | Get-Volume).DriveLetter 
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**Now, let’s copy the entire contents of the mounted .iso file to the UBB disk 
using Copy-Item: 


PS C:\WINDOWS\system32> .DriveLetter 


PS C:\WINDOWS\system32> 


15. Run Command 
Copy-Item -Path (Sdrive +":\*") -Destination (Svolume.DriveLetter + ":\") - 
Recurse 
**|f Copy-ltem exits with an error, it’s because it failed to copy the largest file, 
install.wim, to the USB drive. FAT32 has a file limit of 4GB and install.wim might 
be larger than the limit. To solve the problem, we can use the Windows 10 DISM 
tool to split the install.wim file into two smaller files: install.swm and 
install2.swm. 


16. Windows 10 DISM tool 
First, we’ll need to create the two new files on our local disk. In this example, I’ve 
chosen to create them in C:\Users\Public\Downloads. Note that you may need 
to replace ‘f’ in ‘f:\sources\install.wim’ with a different drive letter. Windows 
might have assigned a different drive letter to your mounted .iso file. You can 
check the drive letter Windows assigned by opening File Explorer (WIN+E). 


17. Run Command 
dism /Split-Image /ImageFile:f:\sources\install.wim 
/SWMEFile:C:\Users\Public\Downloads\install.swm /FileSize:4096 


PS C:\WINDOWS\system32> /Split-Image /ImageFile:f:\sources\install.wim /SuINFile:C:\Users\Public\Downloads\install. sf 
wm /FileSize:4096 


Deployment Image Servicing and Management tool 
Version: 10.0.19041.844 


The operation completed successfully. 


18. Now, let’s copy the two new files, install.swm and install2.swm, to our USB drive: 


19. Run Commands 
Copy-Item -Path C:\Users\Public\Downloads\install.swm -Destination 
(Svolume.DriveLetter + ":\sources\install.swm") 


Copy-Item -Path C:\Users\Public\Downloads\install2.swm -Destination 
(Svolume.DriveLetter + ":\sources\install2.swm") 
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20. Finally, all that’s left to do is to unmount the Windows Server .iso file from our 
local device using Dismount-Disklmage: 


21. Run Command 
Dismount-DiskImage -ImagePath Sisopath 


22. After Completion, Install USB Drive into Server, and boot to drive 
** Must Disable Secure Boot in Server Bios to Install Software 


http://support.microsoft.com/default.aspx?scid=kb;en-us;322672 


Active Directory, Microsoft, MS-DOS, Visual Basic, Visual Studio, Windows, 
Windows NT, Active Directory, and Windows Server are either registered trademarks or 
trademarks of Microsoft Corporation in the United States and/or other countries. 


This product contains graphics filter software; this software is based, in part, on the 
work of the Independent JPEG Group. 


All other trademarks are property of their respective owners. 
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